{ "type": "URL", "indicator": "https://hs7.linux.pl/roundcube", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://hs7.linux.pl/roundcube", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3746548105, "indicator": "https://hs7.linux.pl/roundcube", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "64ee2668cad3bfce7a474d79", "name": "IOC's from my personal devices for the week starting 08/28/23 - leveraging Yara, overwhelmed", "description": "placeholder\n\nAt current I have well over 2000 detentions just on this one device - I'm working on getting everything presentable.", "modified": "2024-02-10T03:37:00.560000", "created": "2023-08-29T17:10:00.158000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "843 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f379639e77ae81f51fb1a6", "name": "IOC's from my personal devices for the week starting 08/28/23 (byMeekd1904) hmm?", "description": "", "modified": "2023-09-02T18:05:23.864000", "created": "2023-09-02T18:05:23.864000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": "64ee2668cad3bfce7a474d79", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "1003 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "N/A" ], "malware_families": [ "Cobalt strike", "Trojan:linux/rootkit", "Shylock", "Lsadump", "Trojandropper:win32/ponmocup", "Spyeye", "Trojanspy:win32/warpp", "Wimmie", "Poet rat", "Virus:win95/cerebrus", "Surtr", "Irontiger" ], "industries": [ "Individuals" ], "unique_indicators": 432 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/linux.pl", "whois": "http://whois.domaintools.com/linux.pl", "domain": "linux.pl", "hostname": "hs7.linux.pl" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "64ee2668cad3bfce7a474d79", "name": "IOC's from my personal devices for the week starting 08/28/23 - leveraging Yara, overwhelmed", "description": "placeholder\n\nAt current I have well over 2000 detentions just on this one device - I'm working on getting everything presentable.", "modified": "2024-02-10T03:37:00.560000", "created": "2023-08-29T17:10:00.158000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "843 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f379639e77ae81f51fb1a6", "name": "IOC's from my personal devices for the week starting 08/28/23 (byMeekd1904) hmm?", "description": "", "modified": "2023-09-02T18:05:23.864000", "created": "2023-09-02T18:05:23.864000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": "64ee2668cad3bfce7a474d79", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "1003 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://hs7.linux.pl/roundcube", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://hs7.linux.pl/roundcube", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780413318.2944057 }