{ "type": "URL", "indicator": "https://github.com/yck1509/ConfuserEx", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github.com/yck1509/ConfuserEx", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3842354287, "indicator": "https://github.com/yck1509/ConfuserEx", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6946cb8e3eff732bd3d47bff", "name": "Thor Lite - 07.27.25 - APT Detections [by Disable_Duck]", "description": "", "modified": "2025-12-20T16:15:10.914000", "created": "2025-12-20T16:15:10.914000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "6887d46c19a44d6affd7bd2d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6887d46c19a44d6affd7bd2d", "name": "Thor Lite - 07.27.25 - APT Detections [un-enriched]", "description": "Thor Lite Scan on Windows PC (a psuedo mirror of sorts) of a University of Alberta, Alberta Health Services, Covenant Health, Government of Alberta Portable Workstation. Files uploaded to VT.\nUpdated Note: Included IOCs from Filescanio\nRan files through: Neiki, FileScanio, Polyswarm, Triage, Metadefender, Hybrid Analysis, Threatzone, Virustotal\nTPs = This Pulse - IOCs from references", "modified": "2025-08-28T16:04:17.368000", "created": "2025-07-28T19:50:04.469000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67a219f7c06d372f86335d64", "name": "Thor Linux Lite Scan - Sample Device & SG2 - 02.07.25 - Unenriched", "description": "Took a few tries but here is the complete thor Linux 64 Lite Scan on: Sample Device & a single drive (one of many) of the 77 TB of: things I have but don't know what to do with\n---\nOld Notes on previous scan attempts for this sample.\nSee Comments on VT\nMD5\nde880994c51d4055c960e2d32db89774\n \nSHA-1\n539e7c2eefd7a6aa17db436d83738c117f26798c\n \nSHA-256\na6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45\n \nSSDEEP\n98304:hpUsCWtdIdOKfb44V0ipGuEwWPKhmMWMCURFfxzRq6R5qJJfrPOOD86U6BDfIokW:BKftFfuDfqAfPPfa4f3\n \nTLSH\nT10D571AC3C70811188D2373EBE1B4BA59BD06381EDECA9D59F08D642C97946467A2EDCF", "modified": "2025-03-09T16:04:43.604000", "created": "2025-02-04T13:45:27.169000", "tags": [ "stuff", "data", "no problems", "upload", "problems1", "progressb", "progressi", "onedrive", "files", "bitdefender", "scanid", "lite version", "ioc jan", "thor lite", "ip address", "writing", "cron", "envcheck", "filescan", "firewall", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "arch", "hosts" ], "references": [ "pop-os_files_md5s.csv", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "SCANID: S-yIBIO4Ib0l4", "SCANID: S-9uT7vEdHwHk", "SCANID: S-4FSYbAVw6TA", "SCANID: S-4jjwyMrjTU0", "SCANID: S-jZUP9vdJp8E", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "SCANID: S-CadvV0Kd35c", "SCANID: S-0LxiGnOve0Q", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 701, "FileHash-SHA1": 871, "FileHash-SHA256": 897, "URL": 2920, "domain": 388, "email": 17, "CVE": 830, "hostname": 295 }, "indicator_count": 6919, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6706b52d4f2c0f49ac7cece9", "name": "Thor Lite 64 - 10.09.24", "description": "Just a Thor Lite 64 scan of 'things missed' on sample device.", "modified": "2024-11-08T16:00:58.458000", "created": "2024-10-09T16:54:05.079000", "tags": [ "data", "no problems", "sg2backup drive", "upload", "entry", "sun oct", "sigtype1", "exists1", "subscore1", "size2", "score", "service", "error", "procdump", "metasploit", "trash", "school", "info", "confuserex", "virustotal", "probe", "copyleft", "path", "recursive", "supportavast", "problems1", "onedrive", "copied", "backup", "progressb", "scanid", "size1", "fri may", "company1", "mz created1", "desc1", "originalname1", "md51", "imphash1", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "model", "arch", "hosts", "pass", "ransomware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "URL": 89, "CVE": 13, "FileHash-MD5": 1136, "FileHash-SHA1": 647, "FileHash-SHA256": 604, "hostname": 47, "email": 2 }, "indicator_count": 2563, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "526 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666a8c16f1d9c3d26f51ea30", "name": "Thor Lite Scan Kano & SG2 - 06.12.24", "description": "Just a Thor-Lite scan of W11 Kano PC sample and SG2 Backup Drive\n\n06.12.24: https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "modified": "2024-07-13T05:00:16.603000", "created": "2024-06-13T06:05:10.629000", "tags": [ "entity", "please", "javascript", "data", "upload", "drive", "no problems", "supportavast", "problems1", "progressb", "bitdefender", "nortoninstaller", "files", "scanid", "size1", "exists1", "company1", "mz created1", "desc1", "originalname1", "fri may", "imphash1", "internalname1", "metasploit", "virustotal", "score", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "service", "procdump", "probe", "model", "arch", "hosts", "confuserex", "sliver", "module", "sun sep", "sigtype1", "threat network", "subscore1", "rule matched1", "info", "click" ], "references": [ "https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/summary", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/iocs", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 969, "FileHash-SHA1": 541, "FileHash-SHA256": 645, "domain": 29, "URL": 168, "CVE": 10, "email": 2, "hostname": 90 }, "indicator_count": 2454, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d2f82dedd5610be65ff681", "name": "Thor Lite Scan (Nextron System) - 02.18.24 - WB1 & QB2", "description": "2 Windows 11 PCs scanned w. THOR Scanner Lite (Nextron Systems)\n\u2014\n(Read Comments Below VT IOCs comments section: passed through several platforms)\n\nef48ddc79c3dbf92e90305a6af3f0e3eae0350123452f0d1cdcc68a717c07283\nWorker_Bee1_thor_2024-02-18_1244.txt\n\n9523c257b8f41408e11925946f9063add80f39a0dfcac85fcdf9f91f2da9c283\nQueen_Beedos_2_thor_2024-02-18_1028.txt\n\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n\nIOCs parsed by Inquest Labs:\n\nhttps://labs.inquest.net/dfi/search/ext/ext_code#results#eyJyZXN1bHRzIjpbIn4iLCJmaXJzdFNlZW4iLDEsIiIsW11dfQ== (Worker_Bee1)\n\nhttps://labs.inquest.net/dfi/search/ext/ext_code#results#eyJyZXN1bHRzIjpbIn4iLCJmaXJzdFNlZW4iLDEsIiIsW11dfQ== (Queen_Bee)\n\n---\n\nhttps://www.virustotal.com/graph/embed/g37b82daccb5b42d6b81cb78259627f11475f2b207ebc431d9e01eaf352ff1edc?theme=dark\n\n---\n\n***Not completely vetted for false Positives***", "modified": "2024-03-20T05:01:23.294000", "created": "2024-02-19T06:41:49.240000", "tags": [ "urls", "please", "javascript", "workerbee1nicu", "sigtype1", "tue dec", "wed dec", "subscore1", "sun feb", "reasonscount", "detects", "unknown", "rule iconfile", "powersploit", "code", "click", "problems1", "data", "no problems", "upload", "progress1", "nortoninstaller", "tweaker", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/886fd8743a29ef72389c4df6c0789577295100863310e0a8e3529821083fde0e", "Worker_Bee1_thor_2024-02-18_1244.html", "Queen_Beedos_2_files_md5s.csv", "Worker_Bee1_files_md5s.csv", "https://www.virustotal.com/graph/embed/g37b82daccb5b42d6b81cb78259627f11475f2b207ebc431d9e01eaf352ff1edc?theme=dark", "https://ualbertaca-my.sharepoint.com/:t:/g/personal/jwanihad_ualberta_ca/Eaq_PnFBD8BBks9I4xk-CQYBT2dbPsCC5PQNMY-vFKSqXg?e=tr6NoV", "https://ualbertaca-my.sharepoint.com/:t:/g/personal/jwanihad_ualberta_ca/EfQCvudjhp9BpoiQ5GZBf8MBhHssfc_FPfh-HZygzr0YKw?e=TaaNmT", "https://ualbertaca-my.sharepoint.com/:u:/g/personal/jwanihad_ualberta_ca/EaaJ7nScHFJBjUGajjvf7aMBS3JdeIWM8N6NYaDl534CEg?e=bDuEAi", "https://ualbertaca-my.sharepoint.com/:b:/g/personal/jwanihad_ualberta_ca/EWG3cwhV74JJvkCL0XQxN8IBVxD7UrLivvH7_llEmUn9_Q?e=Zarqz4" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "URL": 15, "FileHash-MD5": 20, "FileHash-SHA1": 23, "domain": 2, "hostname": 8 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://ualbertaca-my.sharepoint.com/:t:/g/personal/jwanihad_ualberta_ca/Eaq_PnFBD8BBks9I4xk-CQYBT2dbPsCC5PQNMY-vFKSqXg?e=tr6NoV", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/summary", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "SCANID: S-CadvV0Kd35c", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/iocs", "SCANID: S-yIBIO4Ib0l4", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "SCANID: S-9uT7vEdHwHk", "SCANID: S-0LxiGnOve0Q", "Bitch-On-Wheels_files_md5s.csv", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "Worker_Bee1_thor_2024-02-18_1244.html", "https://tria.ge/250729-s1vysaywgy", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "Worker_Bee1_files_md5s.csv", "https://www.virustotal.com/graph/embed/g37b82daccb5b42d6b81cb78259627f11475f2b207ebc431d9e01eaf352ff1edc?theme=dark", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "Queen_Beedos_2_files_md5s.csv", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "https://ualbertaca-my.sharepoint.com/:t:/g/personal/jwanihad_ualberta_ca/EfQCvudjhp9BpoiQ5GZBf8MBhHssfc_FPfh-HZygzr0YKw?e=TaaNmT", "https://ualbertaca-my.sharepoint.com/:b:/g/personal/jwanihad_ualberta_ca/EWG3cwhV74JJvkCL0XQxN8IBVxD7UrLivvH7_llEmUn9_Q?e=Zarqz4", "https://ualbertaca-my.sharepoint.com/:u:/g/personal/jwanihad_ualberta_ca/EaaJ7nScHFJBjUGajjvf7aMBS3JdeIWM8N6NYaDl534CEg?e=bDuEAi", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://www.virustotal.com/gui/collection/886fd8743a29ef72389c4df6c0789577295100863310e0a8e3529821083fde0e", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/graph", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "SCANID: S-jZUP9vdJp8E", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "pop-os_files_md5s.csv", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "SCANID: S-YV38dG9guZE", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "SCANID: S-4jjwyMrjTU0", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "SCANID: S-4FSYbAVw6TA", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Unknown" ], "malware_families": [], "industries": [ "Healthcare", "Government", "Education", "Technology", "Telecommunications" ], "unique_indicators": 14031 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6946cb8e3eff732bd3d47bff", "name": "Thor Lite - 07.27.25 - APT Detections [by Disable_Duck]", "description": "", "modified": "2025-12-20T16:15:10.914000", "created": "2025-12-20T16:15:10.914000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "6887d46c19a44d6affd7bd2d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6887d46c19a44d6affd7bd2d", "name": "Thor Lite - 07.27.25 - APT Detections [un-enriched]", "description": "Thor Lite Scan on Windows PC (a psuedo mirror of sorts) of a University of Alberta, Alberta Health Services, Covenant Health, Government of Alberta Portable Workstation. Files uploaded to VT.\nUpdated Note: Included IOCs from Filescanio\nRan files through: Neiki, FileScanio, Polyswarm, Triage, Metadefender, Hybrid Analysis, Threatzone, Virustotal\nTPs = This Pulse - IOCs from references", "modified": "2025-08-28T16:04:17.368000", "created": "2025-07-28T19:50:04.469000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67a219f7c06d372f86335d64", "name": "Thor Linux Lite Scan - Sample Device & SG2 - 02.07.25 - Unenriched", "description": "Took a few tries but here is the complete thor Linux 64 Lite Scan on: Sample Device & a single drive (one of many) of the 77 TB of: things I have but don't know what to do with\n---\nOld Notes on previous scan attempts for this sample.\nSee Comments on VT\nMD5\nde880994c51d4055c960e2d32db89774\n \nSHA-1\n539e7c2eefd7a6aa17db436d83738c117f26798c\n \nSHA-256\na6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45\n \nSSDEEP\n98304:hpUsCWtdIdOKfb44V0ipGuEwWPKhmMWMCURFfxzRq6R5qJJfrPOOD86U6BDfIokW:BKftFfuDfqAfPPfa4f3\n \nTLSH\nT10D571AC3C70811188D2373EBE1B4BA59BD06381EDECA9D59F08D642C97946467A2EDCF", "modified": "2025-03-09T16:04:43.604000", "created": "2025-02-04T13:45:27.169000", "tags": [ "stuff", "data", "no problems", "upload", "problems1", "progressb", "progressi", "onedrive", "files", "bitdefender", "scanid", "lite version", "ioc jan", "thor lite", "ip address", "writing", "cron", "envcheck", "filescan", "firewall", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "arch", "hosts" ], "references": [ "pop-os_files_md5s.csv", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "SCANID: S-yIBIO4Ib0l4", "SCANID: S-9uT7vEdHwHk", "SCANID: S-4FSYbAVw6TA", "SCANID: S-4jjwyMrjTU0", "SCANID: S-jZUP9vdJp8E", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "SCANID: S-CadvV0Kd35c", "SCANID: S-0LxiGnOve0Q", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 701, "FileHash-SHA1": 871, "FileHash-SHA256": 897, "URL": 2920, "domain": 388, "email": 17, "CVE": 830, "hostname": 295 }, "indicator_count": 6919, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6706b52d4f2c0f49ac7cece9", "name": "Thor Lite 64 - 10.09.24", "description": "Just a Thor Lite 64 scan of 'things missed' on sample device.", "modified": "2024-11-08T16:00:58.458000", "created": "2024-10-09T16:54:05.079000", "tags": [ "data", "no problems", "sg2backup drive", "upload", "entry", "sun oct", "sigtype1", "exists1", "subscore1", "size2", "score", "service", "error", "procdump", "metasploit", "trash", "school", "info", "confuserex", "virustotal", "probe", "copyleft", "path", "recursive", "supportavast", "problems1", "onedrive", "copied", "backup", "progressb", "scanid", "size1", "fri may", "company1", "mz created1", "desc1", "originalname1", "md51", "imphash1", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "model", "arch", "hosts", "pass", "ransomware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "URL": 89, "CVE": 13, "FileHash-MD5": 1136, "FileHash-SHA1": 647, "FileHash-SHA256": 604, "hostname": 47, "email": 2 }, "indicator_count": 2563, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "526 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666a8c16f1d9c3d26f51ea30", "name": "Thor Lite Scan Kano & SG2 - 06.12.24", "description": "Just a Thor-Lite scan of W11 Kano PC sample and SG2 Backup Drive\n\n06.12.24: https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "modified": "2024-07-13T05:00:16.603000", "created": "2024-06-13T06:05:10.629000", "tags": [ "entity", "please", "javascript", "data", "upload", "drive", "no problems", "supportavast", "problems1", "progressb", "bitdefender", "nortoninstaller", "files", "scanid", "size1", "exists1", "company1", "mz created1", "desc1", "originalname1", "fri may", "imphash1", "internalname1", "metasploit", "virustotal", "score", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "service", "procdump", "probe", "model", "arch", "hosts", "confuserex", "sliver", "module", "sun sep", "sigtype1", "threat network", "subscore1", "rule matched1", "info", "click" ], "references": [ "https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/summary", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/iocs", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 969, "FileHash-SHA1": 541, "FileHash-SHA256": 645, "domain": 29, "URL": 168, "CVE": 10, "email": 2, "hostname": 90 }, "indicator_count": 2454, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d2f82dedd5610be65ff681", "name": "Thor Lite Scan (Nextron System) - 02.18.24 - WB1 & QB2", "description": "2 Windows 11 PCs scanned w. THOR Scanner Lite (Nextron Systems)\n\u2014\n(Read Comments Below VT IOCs comments section: passed through several platforms)\n\nef48ddc79c3dbf92e90305a6af3f0e3eae0350123452f0d1cdcc68a717c07283\nWorker_Bee1_thor_2024-02-18_1244.txt\n\n9523c257b8f41408e11925946f9063add80f39a0dfcac85fcdf9f91f2da9c283\nQueen_Beedos_2_thor_2024-02-18_1028.txt\n\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n\nIOCs parsed by Inquest Labs:\n\nhttps://labs.inquest.net/dfi/search/ext/ext_code#results#eyJyZXN1bHRzIjpbIn4iLCJmaXJzdFNlZW4iLDEsIiIsW11dfQ== (Worker_Bee1)\n\nhttps://labs.inquest.net/dfi/search/ext/ext_code#results#eyJyZXN1bHRzIjpbIn4iLCJmaXJzdFNlZW4iLDEsIiIsW11dfQ== (Queen_Bee)\n\n---\n\nhttps://www.virustotal.com/graph/embed/g37b82daccb5b42d6b81cb78259627f11475f2b207ebc431d9e01eaf352ff1edc?theme=dark\n\n---\n\n***Not completely vetted for false Positives***", "modified": "2024-03-20T05:01:23.294000", "created": "2024-02-19T06:41:49.240000", "tags": [ "urls", "please", "javascript", "workerbee1nicu", "sigtype1", "tue dec", "wed dec", "subscore1", "sun feb", "reasonscount", "detects", "unknown", "rule iconfile", "powersploit", "code", "click", "problems1", "data", "no problems", "upload", "progress1", "nortoninstaller", "tweaker", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/886fd8743a29ef72389c4df6c0789577295100863310e0a8e3529821083fde0e", "Worker_Bee1_thor_2024-02-18_1244.html", "Queen_Beedos_2_files_md5s.csv", "Worker_Bee1_files_md5s.csv", "https://www.virustotal.com/graph/embed/g37b82daccb5b42d6b81cb78259627f11475f2b207ebc431d9e01eaf352ff1edc?theme=dark", "https://ualbertaca-my.sharepoint.com/:t:/g/personal/jwanihad_ualberta_ca/Eaq_PnFBD8BBks9I4xk-CQYBT2dbPsCC5PQNMY-vFKSqXg?e=tr6NoV", "https://ualbertaca-my.sharepoint.com/:t:/g/personal/jwanihad_ualberta_ca/EfQCvudjhp9BpoiQ5GZBf8MBhHssfc_FPfh-HZygzr0YKw?e=TaaNmT", "https://ualbertaca-my.sharepoint.com/:u:/g/personal/jwanihad_ualberta_ca/EaaJ7nScHFJBjUGajjvf7aMBS3JdeIWM8N6NYaDl534CEg?e=bDuEAi", "https://ualbertaca-my.sharepoint.com/:b:/g/personal/jwanihad_ualberta_ca/EWG3cwhV74JJvkCL0XQxN8IBVxD7UrLivvH7_llEmUn9_Q?e=Zarqz4" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "URL": 15, "FileHash-MD5": 20, "FileHash-SHA1": 23, "domain": 2, "hostname": 8 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github.com/yck1509/ConfuserEx", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github.com/yck1509/ConfuserEx", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776611329.4834442 }