{ "type": "URL", "indicator": "https://m.me/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://m.me/", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #7649", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain m.me", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain m.me", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2982459537, "indicator": "https://m.me/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a10c1936b635b73722e3b80", "name": "C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox", "description": "High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress.\nDomain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an \"old, trusted\" system file to bypass scanners that prioritize scanning new/recently modified files.", "modified": "2026-05-25T09:43:10.181000", "created": "2026-05-22T20:50:27.987000", "tags": [ "please", "chat", "cancel", "email", "sorry", "zendesk chat", "back", "name", "chat rating", "click", "close", "enterprise", "premium", "legacy", "friday", "hello", "mitre attack", "network info", "sigma", "program", "mid frommemory", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "unicode text", "utf8 text", "javascript", "show", "standards", "technology", "detail", "wordpress", "cves", "widget logic", "institute", "widget context", "request forgery", "widget", "impact", "site request", "forgery", "csrf", "cve20267615", "slider", "elementor", "scripting", "mount", "cve20264341", "bundle", "cvecve202620858", "free", "exploit", "abusedmost", "vbscript", "jscript", "wmi traffic", "remote wmi", "port", "dcom", "powershell" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k", "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "IPv4": 23, "URL": 30, "hostname": 49, "domain": 7, "CVE": 9 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10c193e508eb580d8d5352", "name": "C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox", "description": "High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress.\nDomain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an \"old, trusted\" system file to bypass scanners that prioritize scanning new/recently modified files.", "modified": "2026-05-25T09:43:09.022000", "created": "2026-05-22T20:50:27.547000", "tags": [ "please", "chat", "cancel", "email", "sorry", "zendesk chat", "back", "name", "chat rating", "click", "close", "enterprise", "premium", "legacy", "friday", "hello", "mitre attack", "network info", "sigma", "program", "mid frommemory", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "unicode text", "utf8 text", "javascript", "show", "standards", "technology", "detail", "wordpress", "cves", "widget logic", "institute", "widget context", "request forgery", "widget", "impact", "site request", "forgery", "csrf", "cve20267615", "slider", "elementor", "scripting", "mount", "cve20264341", "bundle", "cvecve202620858", "free", "exploit", "abusedmost", "vbscript", "jscript", "wmi traffic", "remote wmi", "port", "dcom", "powershell" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k", "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "IPv4": 23, "URL": 30, "hostname": 49, "domain": 7, "CVE": 9 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708de4903db240f751e8ba", "name": "https://s7.addthis.com/js/300/addthis_widget.js", "description": "", "modified": "2023-12-06T15:06:12.173000", "created": "2023-12-06T15:06:12.173000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 784, "hostname": 45, "domain": 37, "URL": 118 }, "indicator_count": 984, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bc5b50fa591c6569d5f8b5", "name": "Interactive Phishing Mark II: Messenger Chatbot Leveraged in a New Facebook-Themed Spam | Trustwave", "description": "Trustwave is a global cybersecurity platform designed to protect against the most advance cybersecurity threats, including email and chatbots, which are being used to target users of Facebook Messenger and other messaging platforms across the world.", "modified": "2022-06-29T14:01:52.125000", "created": "2022-06-29T14:01:52.125000", "tags": [ "facebook", "appeal", "statista", "messenger", "meta", "open", "submit button", "january", "facebook login", "s community", "service" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-mark-ii-messenger-chatbot-leveraged-in-a-new-facebook-themed-spam/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "CVE": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1432 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "627e45fd75dc46245f3df3a9", "name": "https://s7.addthis.com/js/300/addthis_widget.js", "description": "ull URL\nhttps://s7.addthis.com/js/300/addthis_widget.js\nRequested by\nHost: www.changeip.com\nURL: http://www.changeip.com/\nProtocol\nH2\nServer\n 2.18.232.170 Frankfurt am Main, Germany, ASN16625 (AKAMAI-AS, US),\nReverse DNS\na2-18-232-170.deploy.static.akamaitechnologies.com\nSoftware\nnginx/1.15.8 /\nResource Hash\nacd2f7ad78edeebad4b6b0fdd17ff57d81c3726c60fd5435ee8c5a0115d29403\nSecurity Headers\nName\tValue\nStrict-Transport-Security\tmax-age=15724800; includeSubDomains", "modified": "2022-06-12T00:06:23.557000", "created": "2022-05-13T11:50:21.540000", "tags": [ "protocol h2", "server", "frankfurt", "main", "germany", "asn16625", "akamaias", "reverse dns", "software", "resource hash" ], "references": [ "https://urlscan.io/responses/acd2f7ad78edeebad4b6b0fdd17ff57d81c3726c60fd5435ee8c5a0115d29403/", "URL https://s7.addthis.com/js/300/addthis_widget.js Requested by Host: www.changeip.com URL: http://www.changeip.com/ Protocol H2 Server 2.18.232.170 Frankfurt am Main, Germany, ASN16625 (AKAMAI-AS, US), Reverse DNS a2-18-232-170.deploy.static.akamaitechnologies.com Software nginx/1.15.8 / Resource Hash acd2f7ad78edeebad4b6b0fdd17ff57d81c3726c60fd5435ee8c5a0115d29403 Security Headers Name\tValue Strict-Transport-Security\tmax-age=15724800; includeSubDomains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 784, "hostname": 45, "URL": 118, "domain": 37 }, "indicator_count": 984, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-mark-ii-messenger-chatbot-leveraged-in-a-new-facebook-themed-spam/", "https://urlscan.io/responses/acd2f7ad78edeebad4b6b0fdd17ff57d81c3726c60fd5435ee8c5a0115d29403/", "URL https://s7.addthis.com/js/300/addthis_widget.js Requested by Host: www.changeip.com URL: http://www.changeip.com/ Protocol H2 Server 2.18.232.170 Frankfurt am Main, Germany, ASN16625 (AKAMAI-AS, US), Reverse DNS a2-18-232-170.deploy.static.akamaitechnologies.com Software nginx/1.15.8 / Resource Hash acd2f7ad78edeebad4b6b0fdd17ff57d81c3726c60fd5435ee8c5a0115d29403 Security Headers Name\tValue Strict-Transport-Security\tmax-age=15724800; includeSubDomains", "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 1124 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/m.me", "whois": "http://whois.domaintools.com/m.me", "domain": "m.me", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a10c1936b635b73722e3b80", "name": "C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox", "description": "High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress.\nDomain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an \"old, trusted\" system file to bypass scanners that prioritize scanning new/recently modified files.", "modified": "2026-05-25T09:43:10.181000", "created": "2026-05-22T20:50:27.987000", "tags": [ "please", "chat", "cancel", "email", "sorry", "zendesk chat", "back", "name", "chat rating", "click", "close", "enterprise", "premium", "legacy", "friday", "hello", "mitre attack", "network info", "sigma", "program", "mid frommemory", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "unicode text", "utf8 text", "javascript", "show", "standards", "technology", "detail", "wordpress", "cves", "widget logic", "institute", "widget context", "request forgery", "widget", "impact", "site request", "forgery", "csrf", "cve20267615", "slider", "elementor", "scripting", "mount", "cve20264341", "bundle", "cvecve202620858", "free", "exploit", "abusedmost", "vbscript", "jscript", "wmi traffic", "remote wmi", "port", "dcom", "powershell" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k", "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "IPv4": 23, "URL": 30, "hostname": 49, "domain": 7, "CVE": 9 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10c193e508eb580d8d5352", "name": "C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox", "description": "High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress.\nDomain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an \"old, trusted\" system file to bypass scanners that prioritize scanning new/recently modified files.", "modified": "2026-05-25T09:43:09.022000", "created": "2026-05-22T20:50:27.547000", "tags": [ "please", "chat", "cancel", "email", "sorry", "zendesk chat", "back", "name", "chat rating", "click", "close", "enterprise", "premium", "legacy", "friday", "hello", "mitre attack", "network info", "sigma", "program", "mid frommemory", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "unicode text", "utf8 text", "javascript", "show", "standards", "technology", "detail", "wordpress", "cves", "widget logic", "institute", "widget context", "request forgery", "widget", "impact", "site request", "forgery", "csrf", "cve20267615", "slider", "elementor", "scripting", "mount", "cve20264341", "bundle", "cvecve202620858", "free", "exploit", "abusedmost", "vbscript", "jscript", "wmi traffic", "remote wmi", "port", "dcom", "powershell" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k", "https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "IPv4": 23, "URL": 30, "hostname": 49, "domain": 7, "CVE": 9 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708de4903db240f751e8ba", "name": "https://s7.addthis.com/js/300/addthis_widget.js", "description": "", "modified": "2023-12-06T15:06:12.173000", "created": "2023-12-06T15:06:12.173000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 784, "hostname": 45, "domain": 37, "URL": 118 }, "indicator_count": 984, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bc5b50fa591c6569d5f8b5", "name": "Interactive Phishing Mark II: Messenger Chatbot Leveraged in a New Facebook-Themed Spam | Trustwave", "description": "Trustwave is a global cybersecurity platform designed to protect against the most advance cybersecurity threats, including email and chatbots, which are being used to target users of Facebook Messenger and other messaging platforms across the world.", "modified": "2022-06-29T14:01:52.125000", "created": "2022-06-29T14:01:52.125000", "tags": [ "facebook", "appeal", "statista", "messenger", "meta", "open", "submit button", "january", "facebook login", "s community", "service" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/interactive-phishing-mark-ii-messenger-chatbot-leveraged-in-a-new-facebook-themed-spam/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "CVE": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1432 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "627e45fd75dc46245f3df3a9", "name": "https://s7.addthis.com/js/300/addthis_widget.js", "description": "ull URL\nhttps://s7.addthis.com/js/300/addthis_widget.js\nRequested by\nHost: www.changeip.com\nURL: http://www.changeip.com/\nProtocol\nH2\nServer\n 2.18.232.170 Frankfurt am Main, Germany, ASN16625 (AKAMAI-AS, US),\nReverse DNS\na2-18-232-170.deploy.static.akamaitechnologies.com\nSoftware\nnginx/1.15.8 /\nResource Hash\nacd2f7ad78edeebad4b6b0fdd17ff57d81c3726c60fd5435ee8c5a0115d29403\nSecurity Headers\nName\tValue\nStrict-Transport-Security\tmax-age=15724800; includeSubDomains", "modified": "2022-06-12T00:06:23.557000", "created": "2022-05-13T11:50:21.540000", "tags": [ "protocol h2", "server", "frankfurt", "main", "germany", "asn16625", "akamaias", "reverse dns", "software", "resource hash" ], "references": [ "https://urlscan.io/responses/acd2f7ad78edeebad4b6b0fdd17ff57d81c3726c60fd5435ee8c5a0115d29403/", "URL https://s7.addthis.com/js/300/addthis_widget.js Requested by Host: www.changeip.com URL: http://www.changeip.com/ Protocol H2 Server 2.18.232.170 Frankfurt am Main, Germany, ASN16625 (AKAMAI-AS, US), Reverse DNS a2-18-232-170.deploy.static.akamaitechnologies.com Software nginx/1.15.8 / Resource Hash acd2f7ad78edeebad4b6b0fdd17ff57d81c3726c60fd5435ee8c5a0115d29403 Security Headers Name\tValue Strict-Transport-Security\tmax-age=15724800; includeSubDomains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 784, "hostname": 45, "URL": 118, "domain": 37 }, "indicator_count": 984, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://m.me/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://m.me/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780281749.3805947 }