{ "type": "URL", "indicator": "https://mail.google.com/mail/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mail.google.com/mail/", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3188179884, "indicator": "https://mail.google.com/mail/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "680a8d38da27a781f3874c55", "name": "connect-care[.]ca - 04.24.25 - #UAlberta #DataBreach -> #Alberta #Healthcare", "description": "Found some more problems when attempting to access connectcare with my old (stolen) credentials and a work-a-round. It appears (as it was tied to the University of Alberta) that this account also has been tampered with. Conducted general domain analysis. Related to all healthcare pulses in this AlienVault Group in the listed countries below (several others to add in yet).", "modified": "2025-05-24T18:05:13.820000", "created": "2025-04-24T19:12:56.287000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "entity", "javascript", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "ansi", "connect care", "memoryfile scan", "span", "pcap processing", "pcap", "script", "pdf url", "win64", "date", "iframe", "contact", "footer", "meta", "wave", "suspicious", "general", "mission", "calgary", "comspec", "hybrid", "mozilla", "main", "body", "form", "model", "close", "click", "hosts", "mozi", "core", "false", "april", "path", "window", "dest", "bran", "strings", "malicious", "UAlberta", "Connect Care", "Alberta Health Services", "Healthcare", "#YYG", "#YYC" ], "references": [ "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Aruba", "Netherlands", "Mexico", "Saint Vincent and the Grenadines", "Cura\u00e7ao", "Bonaire, Sint Eustatius and Saba", "Panama", "Tanzania, United Republic of", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 89, "FileHash-SHA1": 84, "FileHash-SHA256": 166, "domain": 48, "hostname": 179, "URL": 151, "email": 14, "SSLCertFingerprint": 14 }, "indicator_count": 745, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Healthcare", "Government", "Education" ], "unique_indicators": 797 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "mail.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "680a8d38da27a781f3874c55", "name": "connect-care[.]ca - 04.24.25 - #UAlberta #DataBreach -> #Alberta #Healthcare", "description": "Found some more problems when attempting to access connectcare with my old (stolen) credentials and a work-a-round. It appears (as it was tied to the University of Alberta) that this account also has been tampered with. Conducted general domain analysis. Related to all healthcare pulses in this AlienVault Group in the listed countries below (several others to add in yet).", "modified": "2025-05-24T18:05:13.820000", "created": "2025-04-24T19:12:56.287000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "entity", "javascript", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "ansi", "connect care", "memoryfile scan", "span", "pcap processing", "pcap", "script", "pdf url", "win64", "date", "iframe", "contact", "footer", "meta", "wave", "suspicious", "general", "mission", "calgary", "comspec", "hybrid", "mozilla", "main", "body", "form", "model", "close", "click", "hosts", "mozi", "core", "false", "april", "path", "window", "dest", "bran", "strings", "malicious", "UAlberta", "Connect Care", "Alberta Health Services", "Healthcare", "#YYG", "#YYC" ], "references": [ "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Aruba", "Netherlands", "Mexico", "Saint Vincent and the Grenadines", "Cura\u00e7ao", "Bonaire, Sint Eustatius and Saba", "Panama", "Tanzania, United Republic of", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 89, "FileHash-SHA1": 84, "FileHash-SHA256": 166, "domain": 48, "hostname": 179, "URL": 151, "email": 14, "SSLCertFingerprint": 14 }, "indicator_count": 745, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mail.google.com/mail/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mail.google.com/mail/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776674617.7829692 }