{ "type": "URL", "indicator": "https://libertyis-ae.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://libertyis-ae.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4373507659, "indicator": "https://libertyis-ae.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a10b5fcbae6ff7196fadd8a", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:24.934000", "created": "2026-05-22T20:01:00.435000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b601afa660d39df59585", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:23.966000", "created": "2026-05-22T20:01:05.318000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 217, "CIDR": 63, "FileHash-MD5": 399, "FileHash-SHA1": 114, "FileHash-SHA256": 513, "URL": 605, "domain": 328, "email": 21, "hostname": 694, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 3010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5fc8feb5a31eedfc0ec", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:59.988000", "created": "2026-05-22T20:00:59.988000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eb25a8421d03c37021", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:43.360000", "created": "2026-05-22T20:00:43.360000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eae1aa45c197c5f4cd", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:42.869000", "created": "2026-05-22T20:00:42.869000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 2812 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/libertyis-ae.com", "whois": "http://whois.domaintools.com/libertyis-ae.com", "domain": "libertyis-ae.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a10b5fcbae6ff7196fadd8a", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:24.934000", "created": "2026-05-22T20:01:00.435000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b601afa660d39df59585", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:23.966000", "created": "2026-05-22T20:01:05.318000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 217, "CIDR": 63, "FileHash-MD5": 399, "FileHash-SHA1": 114, "FileHash-SHA256": 513, "URL": 605, "domain": 328, "email": 21, "hostname": 694, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 3010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5fc8feb5a31eedfc0ec", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:59.988000", "created": "2026-05-22T20:00:59.988000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eb25a8421d03c37021", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:43.360000", "created": "2026-05-22T20:00:43.360000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eae1aa45c197c5f4cd", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:42.869000", "created": "2026-05-22T20:00:42.869000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://libertyis-ae.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://libertyis-ae.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780234761.1928737 }