{ "type": "URL", "indicator": "https://github.com/select2/select2/blob/master/LICENSE.md", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github.com/select2/select2/blob/master/LICENSE.md", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2821931243, "indicator": "https://github.com/select2/select2/blob/master/LICENSE.md", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69cf21c05e91f60db7f6ed64", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:12.197000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf21c0e67b23d631499583", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:12.886000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf21c1d1238f23716a11f6", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:13.985000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e46078568d62bc323e093", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:31.518000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e46130211d24d7f9ef311", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:43.841000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e469fbf2e1c732bbeb7a3", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76\n\nAllows bad actor to alter diagnosis without physician override or documentation of.", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:05:03.947000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a598f3d4e8c2cffd4f73", "name": "SMS SPY \u2022 Remote Access", "description": "", "modified": "2023-12-06T16:47:19.410000", "created": "2023-12-06T16:47:19.410000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1043, "hostname": 684, "domain": 639, "FileHash-MD5": 382, "FileHash-SHA1": 212, "URL": 2215 }, "indicator_count": 5175, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650b67e5a3ff15727eed5a06", "name": "SMS SPY \u2022 Remote Access", "description": "Malvertizing. Spyware\nMalbranding:\nTagging tool tags allows adversaries to tag targets name in malicious website. Target may be lured by salacious content featuring their own name or someone known to person, click on link infecting devices.", "modified": "2023-10-20T21:00:45.519000", "created": "2023-09-20T21:45:09.422000", "tags": [ "site", "cisco umbrella", "alexa top", "million", "alexa", "united", "engineering", "phishing", "bank", "cobalt strike", "emotet", "phishtank", "spammer", "malware site", "deepscan", "malicious", "smsspy", "bradesco", "stealer", "facebook", "download", "service", "zbot", "formbook", "coinminer", "raccoonstealer", "social engineering", "vj75", "http", "oid3", "vis1", "redirect chain", "z554903578", "slfrd1", "xpccbgarern6r", "xpcyqqhir7yvq", "xpchgxkc32lbs", "pattern match", "q0o0mahttp", "pfunction", "lkvoid", "glfunction", "befunction", "mrtk", "7jfjrw", "zzvyn6uhsb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:MSIL/RacoonStealer", "display_name": "Trojan:MSIL/RacoonStealer", "target": "/malware/Trojan:MSIL/RacoonStealer" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zbot", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 639, "hostname": 684, "FileHash-MD5": 382, "FileHash-SHA1": 212, "FileHash-SHA256": 1043, "URL": 2215 }, "indicator_count": 5175, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "954 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Webtoolbar", "Trojanspy:win32/bradesco", "Formbook", "Cobalt strike", "Gc", "Trojan:msil/racoonstealer", "Trojanspy", "Alf:heraklezeval:trojan:win32/zbot" ], "industries": [], "unique_indicators": 21001 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69cf21c05e91f60db7f6ed64", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:12.197000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf21c0e67b23d631499583", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:12.886000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf21c1d1238f23716a11f6", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:13.985000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e46078568d62bc323e093", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:31.518000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e46130211d24d7f9ef311", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:02:43.841000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654e469fbf2e1c732bbeb7a3", "name": "Imaging Center affected by WebToolbar \u2022 Critical C2 and Mitre Att", "description": "Critical - dpqhhab.exe\n216d5b6361d88c59cd0fb66c0ca94a27f6c1e0d592fc325b6d58929d4d5a1e76\n\nAllows bad actor to alter diagnosis without physician override or documentation of.", "modified": "2023-12-10T13:00:37.604000", "created": "2023-11-10T15:05:03.947000", "tags": [ "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "malware site", "phishing site", "malicious site", "crack", "wacatac", "unsafe", "phishing", "xrat", "xtrat", "nircmd", "swrort", "iframe", "downldr", "installcore", "agent", "unruy", "filetour", "cleaner", "patcher", "adload", "win64", "artemis", "riskware", "genkryptik", "fuery", "alexa", "blacklist https", "united", "ip address", "presenoker", "opencandy", "exploit", "quasar rat", "mimikatz", "malicious", "applicunwnt", "acint", "systweak", "behav", "tiggre", "conduit", "trojanspy", "webtoolbar", "gc", "xfbml1", "pattern match", "file", "ascii text", "indicator", "windows nt", "script", "appdata", "mitre att", "date", "unknown", "error", "hybrid", "general", "local", "click", "facebook", "strings", "class", "generator", "critical", "ssl certificate", "whois record", "threat roundup", "october", "contacted", "january", "resolutions", "whois whois", "june", "communicating", "february" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 221, "FileHash-SHA1": 171, "FileHash-SHA256": 2904, "domain": 4834, "hostname": 1631, "CVE": 9, "URL": 5670 }, "indicator_count": 15440, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a598f3d4e8c2cffd4f73", "name": "SMS SPY \u2022 Remote Access", "description": "", "modified": "2023-12-06T16:47:19.410000", "created": "2023-12-06T16:47:19.410000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1043, "hostname": 684, "domain": 639, "FileHash-MD5": 382, "FileHash-SHA1": 212, "URL": 2215 }, "indicator_count": 5175, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650b67e5a3ff15727eed5a06", "name": "SMS SPY \u2022 Remote Access", "description": "Malvertizing. Spyware\nMalbranding:\nTagging tool tags allows adversaries to tag targets name in malicious website. Target may be lured by salacious content featuring their own name or someone known to person, click on link infecting devices.", "modified": "2023-10-20T21:00:45.519000", "created": "2023-09-20T21:45:09.422000", "tags": [ "site", "cisco umbrella", "alexa top", "million", "alexa", "united", "engineering", "phishing", "bank", "cobalt strike", "emotet", "phishtank", "spammer", "malware site", "deepscan", "malicious", "smsspy", "bradesco", "stealer", "facebook", "download", "service", "zbot", "formbook", "coinminer", "raccoonstealer", "social engineering", "vj75", "http", "oid3", "vis1", "redirect chain", "z554903578", "slfrd1", "xpccbgarern6r", "xpcyqqhir7yvq", "xpchgxkc32lbs", "pattern match", "q0o0mahttp", "pfunction", "lkvoid", "glfunction", "befunction", "mrtk", "7jfjrw", "zzvyn6uhsb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:MSIL/RacoonStealer", "display_name": "Trojan:MSIL/RacoonStealer", "target": "/malware/Trojan:MSIL/RacoonStealer" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zbot", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy:Win32/Bradesco", "display_name": "TrojanSpy:Win32/Bradesco", "target": "/malware/TrojanSpy:Win32/Bradesco" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 639, "hostname": 684, "FileHash-MD5": 382, "FileHash-SHA1": 212, "FileHash-SHA256": 1043, "URL": 2215 }, "indicator_count": 5175, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "954 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github.com/select2/select2/blob/master/LICENSE.md", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github.com/select2/select2/blob/master/LICENSE.md", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780282152.9864566 }