{ "type": "URL", "indicator": "https://lodash.com/license", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://lodash.com/license", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain lodash.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3678951441, "indicator": "https://lodash.com/license", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6926228c245602830fd82fe5", "name": "hxxps://www[.]cloudflare[.]com/5xx-error-landing - 11.25.25", "description": "Cloudflare Abuse", "modified": "2025-12-25T21:00:52.783000", "created": "2025-11-25T21:41:32.156000", "tags": [ "sandbox", "static analyzer", "emulation", "analyzer", "url", "scanner", "reputation", "phishing", "malware", "cloudflare", "warning icon", "share report", "domain", "systems", "host", "amazon web", "services", "varnish", "onetrust", "error", "bunny", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "online", "submit", "sample", "download", "platform", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "runtime data", "file string", "dumps", "varchar", "null", "integer default", "localappdata", "integer not", "license", "path", "date", "facebook", "close", "roboto", "meta", "title", "span", "body", "blink", "win64", "contact", "mexico", "protect", "enterprise", "project", "suspicious", "hybrid", "mendoza", "mini", "code", "galileo", "4629", "false", "media", "critical", "fast", "stream", "cloud", "click", "hosts", "dorv", "lion", "cascade", "august", "general", "strings", "malicious" ], "references": [ "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 520, "FileHash-MD5": 136, "FileHash-SHA1": 82, "domain": 120, "hostname": 275, "FileHash-SHA256": 136, "email": 12 }, "indicator_count": 1281, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "114 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c0333a4bab9053ba0e22d7", "name": "TrickBot| Miscellaneous Attack of a Medical Practice | Mitre", "description": "Targets a medical facility. Could only be accessed via IExplorer. \nFacility did experience full shutdown and reboot of system, lights, in January. \n\n\u2022TrickBot is a banking Trojan that can steal financial details, account credentials, and personally identifiable information (PII), as well as spread within a network and drop ransomware, particularly Ryuk", "modified": "2024-03-06T00:01:49.984000", "created": "2024-02-05T01:00:42.017000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "ascii text", "script", "united", "date", "error", "unknown", "span", "meta", "hybrid", "null", "general", "local", "click", "strings", "this", "legacy", "false", "window", "suricata", "mitre", "command scripting", "status", "moved", "search", "record value", "cname", "scan endpoints", "all octoseek", "body", "network", "exploit", "shellcode", "name verdict", "u4e0b", "falcon sandbox", "falcon", "malware", "no data", "tag count", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "passive dns", "urls", "domain", "all search", "otx octoseek", "hostname", "pulse pulses", "files", "files ip", "a nxdomain", "ip address", "ip related", "remote cnc", "contacted", "pe resource", "threat roundup", "whois record", "execution", "communicating", "copy", "whois whois", "november", "august", "february", "banker", "keylogger", "lockbit", "probe", "remcos", "core", "trickbot", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "phone call", "trigger" ], "references": [ "https://www.crccolorado.com/", "https://www.hybrid-analysis.com/sample/6e6e4b61b6c658dafe9b59b235d13d12eaa955c719720529b44d530c83032a8a/65bff4553336954b380dbba5", "https://www.malwarebytes.com/trickbot", "Potential E-Mail address found in binary/memory", "\"focus-within-polyfill@5.0.9\" | \"core-js-bundle@3.2.1\" | \"lodash@4.17.21\"| \"react@16.14.0\" | \"react-dom@16.14.0\"", "https://static.wixstatic.com/media/fe5868_7bec5131ba084565b6999f47dafd9737.png/v1/fill/w_180%2Ch_180%2Clg_1%2Cusm_0.66_1.00_0.01/fe5868_7bec5131ba084565b6999f47dafd9737.png [\"apple touch icon\"]", "slice.call", "object.prototype.hasownproperty.call", "rock.mit-license.org [pattern match]", "https://www.google.com/intl/en/chrome/\" Pattern match: \"https://static.parastorage.com/services/wix-thunderbolt/dist/originTrials.41d7301a.bundle.min.js.map [network]", "https://static.parastorage.com/services/editor-elements-library/dist/thunderbolt/rb_wixui.thunderbolt[VerticalLine_ClassicVerticalSolidLine].67fb182e.min.css", "https://static.parastorage.com/services/wix-thunderbolt/dist/main.c1956e3f.min.css [device-mo]", "camsadultsgetwet.com", "firecams.com", "window.fedops.data" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 171, "FileHash-SHA1": 151, "URL": 179, "domain": 159, "email": 2, "hostname": 150, "FileHash-SHA256": 599, "CVE": 1 }, "indicator_count": 1412, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "774 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c0333c1ff113786c4610d0", "name": "TrickBot| Miscellaneous Attack of a Medical Practice | Mitre", "description": "Targets a medical facility. Could only be accessed via IExplorer. \nFacility did experience full shutdown and reboot of system, lights, in January. \n\n\u2022TrickBot is a banking Trojan that can steal financial details, account credentials, and personally identifiable information (PII), as well as spread within a network and drop ransomware, particularly Ryuk", "modified": "2024-03-06T00:01:49.984000", "created": "2024-02-05T01:00:44.679000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "ascii text", "script", "united", "date", "error", "unknown", "span", "meta", "hybrid", "null", "general", "local", "click", "strings", "this", "legacy", "false", "window", "suricata", "mitre", "command scripting", "status", "moved", "search", "record value", "cname", "scan endpoints", "all octoseek", "body", "network", "exploit", "shellcode", "name verdict", "u4e0b", "falcon sandbox", "falcon", "malware", "no data", "tag count", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "passive dns", "urls", "domain", "all search", "otx octoseek", "hostname", "pulse pulses", "files", "files ip", "a nxdomain", "ip address", "ip related", "remote cnc", "contacted", "pe resource", "threat roundup", "whois record", "execution", "communicating", "copy", "whois whois", "november", "august", "february", "banker", "keylogger", "lockbit", "probe", "remcos", "core", "trickbot", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "phone call", "trigger" ], "references": [ "https://www.crccolorado.com/", "https://www.hybrid-analysis.com/sample/6e6e4b61b6c658dafe9b59b235d13d12eaa955c719720529b44d530c83032a8a/65bff4553336954b380dbba5", "https://www.malwarebytes.com/trickbot", "Potential E-Mail address found in binary/memory", "\"focus-within-polyfill@5.0.9\" | \"core-js-bundle@3.2.1\" | \"lodash@4.17.21\"| \"react@16.14.0\" | \"react-dom@16.14.0\"", "https://static.wixstatic.com/media/fe5868_7bec5131ba084565b6999f47dafd9737.png/v1/fill/w_180%2Ch_180%2Clg_1%2Cusm_0.66_1.00_0.01/fe5868_7bec5131ba084565b6999f47dafd9737.png [\"apple touch icon\"]", "slice.call", "object.prototype.hasownproperty.call", "rock.mit-license.org [pattern match]", "https://www.google.com/intl/en/chrome/\" Pattern match: \"https://static.parastorage.com/services/wix-thunderbolt/dist/originTrials.41d7301a.bundle.min.js.map [network]", "https://static.parastorage.com/services/editor-elements-library/dist/thunderbolt/rb_wixui.thunderbolt[VerticalLine_ClassicVerticalSolidLine].67fb182e.min.css", "https://static.parastorage.com/services/wix-thunderbolt/dist/main.c1956e3f.min.css [device-mo]", "camsadultsgetwet.com", "firecams.com", "window.fedops.data" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 171, "FileHash-SHA1": 151, "URL": 179, "domain": 159, "email": 2, "hostname": 150, "FileHash-SHA256": 599, "CVE": 1 }, "indicator_count": 1412, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "774 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c09e0a6f1a6c10a715a6f2", "name": "TrickBot| Miscellaneous Attack of a Medical Practice | Mitre", "description": "", "modified": "2024-03-06T00:01:49.984000", "created": "2024-02-05T08:36:26.703000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "ascii text", "script", "united", "date", "error", "unknown", "span", "meta", "hybrid", "null", "general", "local", "click", "strings", "this", "legacy", "false", "window", "suricata", "mitre", "command scripting", "status", "moved", "search", "record value", "cname", "scan endpoints", "all octoseek", "body", "network", "exploit", "shellcode", "name verdict", "u4e0b", "falcon sandbox", "falcon", "malware", "no data", "tag count", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "passive dns", "urls", "domain", "all search", "otx octoseek", "hostname", "pulse pulses", "files", "files ip", "a nxdomain", "ip address", "ip related", "remote cnc", "contacted", "pe resource", "threat roundup", "whois record", "execution", "communicating", "copy", "whois whois", "november", "august", "february", "banker", "keylogger", "lockbit", "probe", "remcos", "core", "trickbot", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "phone call", "trigger" ], "references": [ "https://www.crccolorado.com/", "https://www.hybrid-analysis.com/sample/6e6e4b61b6c658dafe9b59b235d13d12eaa955c719720529b44d530c83032a8a/65bff4553336954b380dbba5", "https://www.malwarebytes.com/trickbot", "Potential E-Mail address found in binary/memory", "\"focus-within-polyfill@5.0.9\" | \"core-js-bundle@3.2.1\" | \"lodash@4.17.21\"| \"react@16.14.0\" | \"react-dom@16.14.0\"", "https://static.wixstatic.com/media/fe5868_7bec5131ba084565b6999f47dafd9737.png/v1/fill/w_180%2Ch_180%2Clg_1%2Cusm_0.66_1.00_0.01/fe5868_7bec5131ba084565b6999f47dafd9737.png [\"apple touch icon\"]", "slice.call", "object.prototype.hasownproperty.call", "rock.mit-license.org [pattern match]", "https://www.google.com/intl/en/chrome/\" Pattern match: \"https://static.parastorage.com/services/wix-thunderbolt/dist/originTrials.41d7301a.bundle.min.js.map [network]", "https://static.parastorage.com/services/editor-elements-library/dist/thunderbolt/rb_wixui.thunderbolt[VerticalLine_ClassicVerticalSolidLine].67fb182e.min.css", "https://static.parastorage.com/services/wix-thunderbolt/dist/main.c1956e3f.min.css [device-mo]", "camsadultsgetwet.com", "firecams.com", "window.fedops.data" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": "65c0333c1ff113786c4610d0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 171, "FileHash-SHA1": 151, "URL": 179, "domain": 159, "email": 2, "hostname": 150, "FileHash-SHA256": 599, "CVE": 1 }, "indicator_count": 1412, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "774 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a819664c2499fc2adc79", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "", "modified": "2023-12-06T16:58:01.198000", "created": "2023-12-06T16:58:01.198000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 1664, "FileHash-MD5": 367, "FileHash-SHA1": 237, "domain": 1950, "URL": 6466, "hostname": 2346, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652214c652025febf66cde33", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "C2 | scanning_host | Malicious|", "modified": "2023-11-07T01:01:57.592000", "created": "2023-10-08T02:32:38.609000", "tags": [ "ssl certificate", "whois record", "historical ssl", "threat roundup", "whois whois", "october", "referrer", "resolutions", "december", "september", "hacktool", "united", "anonymizer", "firehol", "microsoft", "phishing site", "malware site", "paypal", "latam", "phishing", "malicious site", "myetherwallet", "heur", "malware", "zeus", "zbot", "facebook", "artemis", "bank", "bradesco", "riskware", "download", "telecom", "dropper", "emotet", "formbook", "cisco umbrella", "site", "safe site", "blacklist https", "generic malware", "detection list", "blacklist", "generic", "pe resource", "contacted", "red team", "whois", "execution", "skynet", "u4e0b", "falcon sandbox", "flag", "date", "server", "name server", "markmonitor", "domain address", "gandi sas", "mesh digital", "vimeo", "static engine", "alexa top", "million", "adwarex", "alexa", "xrat", "downldr", "presenoker", "maltiverse", "ocidmy01rz", "runtime process", "copy md5", "sha1", "copy sha1", "copy sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 367, "FileHash-SHA1": 237, "FileHash-SHA256": 1664, "URL": 6466, "domain": 1950, "hostname": 2346, "CVE": 4, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f15cbb17119f3334c0c57", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "", "modified": "2023-11-07T01:01:57.592000", "created": "2023-10-30T02:32:43.922000", "tags": [ "ssl certificate", "whois record", "historical ssl", "threat roundup", "whois whois", "october", "referrer", "resolutions", "december", "september", "hacktool", "united", "anonymizer", "firehol", "microsoft", "phishing site", "malware site", "paypal", "latam", "phishing", "malicious site", "myetherwallet", "heur", "malware", "zeus", "zbot", "facebook", "artemis", "bank", "bradesco", "riskware", "download", "telecom", "dropper", "emotet", "formbook", "cisco umbrella", "site", "safe site", "blacklist https", "generic malware", "detection list", "blacklist", "generic", "pe resource", "contacted", "red team", "whois", "execution", "skynet", "u4e0b", "falcon sandbox", "flag", "date", "server", "name server", "markmonitor", "domain address", "gandi sas", "mesh digital", "vimeo", "static engine", "alexa top", "million", "adwarex", "alexa", "xrat", "downldr", "presenoker", "maltiverse", "ocidmy01rz", "runtime process", "copy md5", "sha1", "copy sha1", "copy sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "green", "cloned_from": "652214c652025febf66cde33", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 367, "FileHash-SHA1": 237, "FileHash-SHA256": 1664, "URL": 6466, "domain": 1950, "hostname": 2346, "CVE": 4, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64738158d6da7115bc4ba9ae", "name": "v2 with hybrid data 46XKY8QY.htm", "description": "The following has been described as \"highly suspicious\" and \"suspicious\" by a number of people on social media, including those who are known to have been caught up in a security breach.", "modified": "2023-06-27T12:03:43.609000", "created": "2023-05-28T16:29:12.410000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "memoryfile scan", "dropped file", "runtime data", "microsoft", "dumps", "file string", "unicode", "null", "varchar", "june", "facebook", "error", "bank", "close", "code", "date", "roboto", "explorer", "meta", "body", "blink", "win64", "entity", "copia", "generator", "format", "later", "grazie", "back", "batal", "comment", "suspicious", "cookie", "contact", "import", "next", "magic", "internal", "window", "blank", "void", "verify", "service", "fail", "media", "alla", "enjoy", "infinity", "yang", "mini", "webview", "4629", "false", "path", "hybrid", "click", "hosts", "valentine", "mask", "general", "strings", "team", "april", "qakbot", "welcome", "thank", "fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de" ], "references": [ "http://peoplesservicz.com/", "fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de", "https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de", "https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de/647341991c874a18be0049f5" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1253, "URL": 3938, "domain": 1087, "FileHash-SHA256": 80, "FileHash-MD5": 37, "FileHash-SHA1": 25 }, "indicator_count": 6420, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1027 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "645c9552d2976bc754de54f3", "name": ";https://ssl.kaptcha.com/collect/sdk?m=700000", "description": "[", "modified": "2023-05-11T07:12:18.292000", "created": "2023-05-11T07:12:18.292000", "tags": [], "references": [ "https://ssl.kaptcha.com/collect/sdk?m=700000", "https://www.hybrid-analysis.com/sample/161727a812a1c449bd581cbe577ba30fff74533887ce55dccdc7eaad27753b2c/645bf4aed69ba630d909ae5f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1177, "domain": 162, "hostname": 321, "FileHash-SHA256": 81, "IPv4": 6, "FileHash-MD5": 71, "FileHash-SHA1": 53, "email": 3 }, "indicator_count": 1874, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1074 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de/647341991c874a18be0049f5", "http://peoplesservicz.com/", "https://www.google.com/intl/en/chrome/\" Pattern match: \"https://static.parastorage.com/services/wix-thunderbolt/dist/originTrials.41d7301a.bundle.min.js.map [network]", "\"focus-within-polyfill@5.0.9\" | \"core-js-bundle@3.2.1\" | \"lodash@4.17.21\"| \"react@16.14.0\" | \"react-dom@16.14.0\"", "https://static.wixstatic.com/media/fe5868_7bec5131ba084565b6999f47dafd9737.png/v1/fill/w_180%2Ch_180%2Clg_1%2Cusm_0.66_1.00_0.01/fe5868_7bec5131ba084565b6999f47dafd9737.png [\"apple touch icon\"]", "rock.mit-license.org [pattern match]", "object.prototype.hasownproperty.call", "https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de", "https://www.hybrid-analysis.com/sample/6e6e4b61b6c658dafe9b59b235d13d12eaa955c719720529b44d530c83032a8a/65bff4553336954b380dbba5", "camsadultsgetwet.com", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "https://static.parastorage.com/services/editor-elements-library/dist/thunderbolt/rb_wixui.thunderbolt[VerticalLine_ClassicVerticalSolidLine].67fb182e.min.css", "firecams.com", "https://www.crccolorado.com/", "https://www.hybrid-analysis.com/sample/161727a812a1c449bd581cbe577ba30fff74533887ce55dccdc7eaad27753b2c/645bf4aed69ba630d909ae5f", "Potential E-Mail address found in binary/memory", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "https://www.malwarebytes.com/trickbot", "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "window.fedops.data", "slice.call", "fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de", "https://ssl.kaptcha.com/collect/sdk?m=700000", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "https://static.parastorage.com/services/wix-thunderbolt/dist/main.c1956e3f.min.css [device-mo]", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Generic", "Maltiverse", "Trickbot", "Emotet", "Generic.malware" ], "industries": [ "Healthcare" ], "unique_indicators": 33198 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/lodash.com", "whois": "http://whois.domaintools.com/lodash.com", "domain": "lodash.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6926228c245602830fd82fe5", "name": "hxxps://www[.]cloudflare[.]com/5xx-error-landing - 11.25.25", "description": "Cloudflare Abuse", "modified": "2025-12-25T21:00:52.783000", "created": "2025-11-25T21:41:32.156000", "tags": [ "sandbox", "static analyzer", "emulation", "analyzer", "url", "scanner", "reputation", "phishing", "malware", "cloudflare", "warning icon", "share report", "domain", "systems", "host", "amazon web", "services", "varnish", "onetrust", "error", "bunny", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "online", "submit", "sample", "download", "platform", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "runtime data", "file string", "dumps", "varchar", "null", "integer default", "localappdata", "integer not", "license", "path", "date", "facebook", "close", "roboto", "meta", "title", "span", "body", "blink", "win64", "contact", "mexico", "protect", "enterprise", "project", "suspicious", "hybrid", "mendoza", "mini", "code", "galileo", "4629", "false", "media", "critical", "fast", "stream", "cloud", "click", "hosts", "dorv", "lion", "cascade", "august", "general", "strings", "malicious" ], "references": [ "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 520, "FileHash-MD5": 136, "FileHash-SHA1": 82, "domain": 120, "hostname": 275, "FileHash-SHA256": 136, "email": 12 }, "indicator_count": 1281, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "114 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c0333a4bab9053ba0e22d7", "name": "TrickBot| Miscellaneous Attack of a Medical Practice | Mitre", "description": "Targets a medical facility. Could only be accessed via IExplorer. \nFacility did experience full shutdown and reboot of system, lights, in January. \n\n\u2022TrickBot is a banking Trojan that can steal financial details, account credentials, and personally identifiable information (PII), as well as spread within a network and drop ransomware, particularly Ryuk", "modified": "2024-03-06T00:01:49.984000", "created": "2024-02-05T01:00:42.017000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "ascii text", "script", "united", "date", "error", "unknown", "span", "meta", "hybrid", "null", "general", "local", "click", "strings", "this", "legacy", "false", "window", "suricata", "mitre", "command scripting", "status", "moved", "search", "record value", "cname", "scan endpoints", "all octoseek", "body", "network", "exploit", "shellcode", "name verdict", "u4e0b", "falcon sandbox", "falcon", "malware", "no data", "tag count", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "passive dns", "urls", "domain", "all search", "otx octoseek", "hostname", "pulse pulses", "files", "files ip", "a nxdomain", "ip address", "ip related", "remote cnc", "contacted", "pe resource", "threat roundup", "whois record", "execution", "communicating", "copy", "whois whois", "november", "august", "february", "banker", "keylogger", "lockbit", "probe", "remcos", "core", "trickbot", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "phone call", "trigger" ], "references": [ "https://www.crccolorado.com/", "https://www.hybrid-analysis.com/sample/6e6e4b61b6c658dafe9b59b235d13d12eaa955c719720529b44d530c83032a8a/65bff4553336954b380dbba5", "https://www.malwarebytes.com/trickbot", "Potential E-Mail address found in binary/memory", "\"focus-within-polyfill@5.0.9\" | \"core-js-bundle@3.2.1\" | \"lodash@4.17.21\"| \"react@16.14.0\" | \"react-dom@16.14.0\"", "https://static.wixstatic.com/media/fe5868_7bec5131ba084565b6999f47dafd9737.png/v1/fill/w_180%2Ch_180%2Clg_1%2Cusm_0.66_1.00_0.01/fe5868_7bec5131ba084565b6999f47dafd9737.png [\"apple touch icon\"]", "slice.call", "object.prototype.hasownproperty.call", "rock.mit-license.org [pattern match]", "https://www.google.com/intl/en/chrome/\" Pattern match: \"https://static.parastorage.com/services/wix-thunderbolt/dist/originTrials.41d7301a.bundle.min.js.map [network]", "https://static.parastorage.com/services/editor-elements-library/dist/thunderbolt/rb_wixui.thunderbolt[VerticalLine_ClassicVerticalSolidLine].67fb182e.min.css", "https://static.parastorage.com/services/wix-thunderbolt/dist/main.c1956e3f.min.css [device-mo]", "camsadultsgetwet.com", "firecams.com", "window.fedops.data" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 171, "FileHash-SHA1": 151, "URL": 179, "domain": 159, "email": 2, "hostname": 150, "FileHash-SHA256": 599, "CVE": 1 }, "indicator_count": 1412, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "774 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c0333c1ff113786c4610d0", "name": "TrickBot| Miscellaneous Attack of a Medical Practice | Mitre", "description": "Targets a medical facility. Could only be accessed via IExplorer. \nFacility did experience full shutdown and reboot of system, lights, in January. \n\n\u2022TrickBot is a banking Trojan that can steal financial details, account credentials, and personally identifiable information (PII), as well as spread within a network and drop ransomware, particularly Ryuk", "modified": "2024-03-06T00:01:49.984000", "created": "2024-02-05T01:00:44.679000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "ascii text", "script", "united", "date", "error", "unknown", "span", "meta", "hybrid", "null", "general", "local", "click", "strings", "this", "legacy", "false", "window", "suricata", "mitre", "command scripting", "status", "moved", "search", "record value", "cname", "scan endpoints", "all octoseek", "body", "network", "exploit", "shellcode", "name verdict", "u4e0b", "falcon sandbox", "falcon", "malware", "no data", "tag count", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "passive dns", "urls", "domain", "all search", "otx octoseek", "hostname", "pulse pulses", "files", "files ip", "a nxdomain", "ip address", "ip related", "remote cnc", "contacted", "pe resource", "threat roundup", "whois record", "execution", "communicating", "copy", "whois whois", "november", "august", "february", "banker", "keylogger", "lockbit", "probe", "remcos", "core", "trickbot", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "phone call", "trigger" ], "references": [ "https://www.crccolorado.com/", "https://www.hybrid-analysis.com/sample/6e6e4b61b6c658dafe9b59b235d13d12eaa955c719720529b44d530c83032a8a/65bff4553336954b380dbba5", "https://www.malwarebytes.com/trickbot", "Potential E-Mail address found in binary/memory", "\"focus-within-polyfill@5.0.9\" | \"core-js-bundle@3.2.1\" | \"lodash@4.17.21\"| \"react@16.14.0\" | \"react-dom@16.14.0\"", "https://static.wixstatic.com/media/fe5868_7bec5131ba084565b6999f47dafd9737.png/v1/fill/w_180%2Ch_180%2Clg_1%2Cusm_0.66_1.00_0.01/fe5868_7bec5131ba084565b6999f47dafd9737.png [\"apple touch icon\"]", "slice.call", "object.prototype.hasownproperty.call", "rock.mit-license.org [pattern match]", "https://www.google.com/intl/en/chrome/\" Pattern match: \"https://static.parastorage.com/services/wix-thunderbolt/dist/originTrials.41d7301a.bundle.min.js.map [network]", "https://static.parastorage.com/services/editor-elements-library/dist/thunderbolt/rb_wixui.thunderbolt[VerticalLine_ClassicVerticalSolidLine].67fb182e.min.css", "https://static.parastorage.com/services/wix-thunderbolt/dist/main.c1956e3f.min.css [device-mo]", "camsadultsgetwet.com", "firecams.com", "window.fedops.data" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 171, "FileHash-SHA1": 151, "URL": 179, "domain": 159, "email": 2, "hostname": 150, "FileHash-SHA256": 599, "CVE": 1 }, "indicator_count": 1412, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "774 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c09e0a6f1a6c10a715a6f2", "name": "TrickBot| Miscellaneous Attack of a Medical Practice | Mitre", "description": "", "modified": "2024-03-06T00:01:49.984000", "created": "2024-02-05T08:36:26.703000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "ascii text", "script", "united", "date", "error", "unknown", "span", "meta", "hybrid", "null", "general", "local", "click", "strings", "this", "legacy", "false", "window", "suricata", "mitre", "command scripting", "status", "moved", "search", "record value", "cname", "scan endpoints", "all octoseek", "body", "network", "exploit", "shellcode", "name verdict", "u4e0b", "falcon sandbox", "falcon", "malware", "no data", "tag count", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "passive dns", "urls", "domain", "all search", "otx octoseek", "hostname", "pulse pulses", "files", "files ip", "a nxdomain", "ip address", "ip related", "remote cnc", "contacted", "pe resource", "threat roundup", "whois record", "execution", "communicating", "copy", "whois whois", "november", "august", "february", "banker", "keylogger", "lockbit", "probe", "remcos", "core", "trickbot", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "phone call", "trigger" ], "references": [ "https://www.crccolorado.com/", "https://www.hybrid-analysis.com/sample/6e6e4b61b6c658dafe9b59b235d13d12eaa955c719720529b44d530c83032a8a/65bff4553336954b380dbba5", "https://www.malwarebytes.com/trickbot", "Potential E-Mail address found in binary/memory", "\"focus-within-polyfill@5.0.9\" | \"core-js-bundle@3.2.1\" | \"lodash@4.17.21\"| \"react@16.14.0\" | \"react-dom@16.14.0\"", "https://static.wixstatic.com/media/fe5868_7bec5131ba084565b6999f47dafd9737.png/v1/fill/w_180%2Ch_180%2Clg_1%2Cusm_0.66_1.00_0.01/fe5868_7bec5131ba084565b6999f47dafd9737.png [\"apple touch icon\"]", "slice.call", "object.prototype.hasownproperty.call", "rock.mit-license.org [pattern match]", "https://www.google.com/intl/en/chrome/\" Pattern match: \"https://static.parastorage.com/services/wix-thunderbolt/dist/originTrials.41d7301a.bundle.min.js.map [network]", "https://static.parastorage.com/services/editor-elements-library/dist/thunderbolt/rb_wixui.thunderbolt[VerticalLine_ClassicVerticalSolidLine].67fb182e.min.css", "https://static.parastorage.com/services/wix-thunderbolt/dist/main.c1956e3f.min.css [device-mo]", "camsadultsgetwet.com", "firecams.com", "window.fedops.data" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": "65c0333c1ff113786c4610d0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 171, "FileHash-SHA1": 151, "URL": 179, "domain": 159, "email": 2, "hostname": 150, "FileHash-SHA256": 599, "CVE": 1 }, "indicator_count": 1412, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "774 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a819664c2499fc2adc79", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "", "modified": "2023-12-06T16:58:01.198000", "created": "2023-12-06T16:58:01.198000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 1664, "FileHash-MD5": 367, "FileHash-SHA1": 237, "domain": 1950, "URL": 6466, "hostname": 2346, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652214c652025febf66cde33", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "C2 | scanning_host | Malicious|", "modified": "2023-11-07T01:01:57.592000", "created": "2023-10-08T02:32:38.609000", "tags": [ "ssl certificate", "whois record", "historical ssl", "threat roundup", "whois whois", "october", "referrer", "resolutions", "december", "september", "hacktool", "united", "anonymizer", "firehol", "microsoft", "phishing site", "malware site", "paypal", "latam", "phishing", "malicious site", "myetherwallet", "heur", "malware", "zeus", "zbot", "facebook", "artemis", "bank", "bradesco", "riskware", "download", "telecom", "dropper", "emotet", "formbook", "cisco umbrella", "site", "safe site", "blacklist https", "generic malware", "detection list", "blacklist", "generic", "pe resource", "contacted", "red team", "whois", "execution", "skynet", "u4e0b", "falcon sandbox", "flag", "date", "server", "name server", "markmonitor", "domain address", "gandi sas", "mesh digital", "vimeo", "static engine", "alexa top", "million", "adwarex", "alexa", "xrat", "downldr", "presenoker", "maltiverse", "ocidmy01rz", "runtime process", "copy md5", "sha1", "copy sha1", "copy sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 367, "FileHash-SHA1": 237, "FileHash-SHA256": 1664, "URL": 6466, "domain": 1950, "hostname": 2346, "CVE": 4, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f15cbb17119f3334c0c57", "name": "BLOG | cloak-and-dagger | Page 4 of 8", "description": "", "modified": "2023-11-07T01:01:57.592000", "created": "2023-10-30T02:32:43.922000", "tags": [ "ssl certificate", "whois record", "historical ssl", "threat roundup", "whois whois", "october", "referrer", "resolutions", "december", "september", "hacktool", "united", "anonymizer", "firehol", "microsoft", "phishing site", "malware site", "paypal", "latam", "phishing", "malicious site", "myetherwallet", "heur", "malware", "zeus", "zbot", "facebook", "artemis", "bank", "bradesco", "riskware", "download", "telecom", "dropper", "emotet", "formbook", "cisco umbrella", "site", "safe site", "blacklist https", "generic malware", "detection list", "blacklist", "generic", "pe resource", "contacted", "red team", "whois", "execution", "skynet", "u4e0b", "falcon sandbox", "flag", "date", "server", "name server", "markmonitor", "domain address", "gandi sas", "mesh digital", "vimeo", "static engine", "alexa top", "million", "adwarex", "alexa", "xrat", "downldr", "presenoker", "maltiverse", "ocidmy01rz", "runtime process", "copy md5", "sha1", "copy sha1", "copy sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "green", "cloned_from": "652214c652025febf66cde33", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 367, "FileHash-SHA1": 237, "FileHash-SHA256": 1664, "URL": 6466, "domain": 1950, "hostname": 2346, "CVE": 4, "email": 1 }, "indicator_count": 13035, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64738158d6da7115bc4ba9ae", "name": "v2 with hybrid data 46XKY8QY.htm", "description": "The following has been described as \"highly suspicious\" and \"suspicious\" by a number of people on social media, including those who are known to have been caught up in a security breach.", "modified": "2023-06-27T12:03:43.609000", "created": "2023-05-28T16:29:12.410000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "memoryfile scan", "dropped file", "runtime data", "microsoft", "dumps", "file string", "unicode", "null", "varchar", "june", "facebook", "error", "bank", "close", "code", "date", "roboto", "explorer", "meta", "body", "blink", "win64", "entity", "copia", "generator", "format", "later", "grazie", "back", "batal", "comment", "suspicious", "cookie", "contact", "import", "next", "magic", "internal", "window", "blank", "void", "verify", "service", "fail", "media", "alla", "enjoy", "infinity", "yang", "mini", "webview", "4629", "false", "path", "hybrid", "click", "hosts", "valentine", "mask", "general", "strings", "team", "april", "qakbot", "welcome", "thank", "fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de" ], "references": [ "http://peoplesservicz.com/", "fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de", "https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de", "https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de/647341991c874a18be0049f5" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1253, "URL": 3938, "domain": 1087, "FileHash-SHA256": 80, "FileHash-MD5": 37, "FileHash-SHA1": 25 }, "indicator_count": 6420, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1027 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "645c9552d2976bc754de54f3", "name": ";https://ssl.kaptcha.com/collect/sdk?m=700000", "description": "[", "modified": "2023-05-11T07:12:18.292000", "created": "2023-05-11T07:12:18.292000", "tags": [], "references": [ "https://ssl.kaptcha.com/collect/sdk?m=700000", "https://www.hybrid-analysis.com/sample/161727a812a1c449bd581cbe577ba30fff74533887ce55dccdc7eaad27753b2c/645bf4aed69ba630d909ae5f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1177, "domain": 162, "hostname": 321, "FileHash-SHA256": 81, "IPv4": 6, "FileHash-MD5": 71, "FileHash-SHA1": 53, "email": 3 }, "indicator_count": 1874, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1074 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://lodash.com/license", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://lodash.com/license", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776615761.039249 }