{ "type": "URL", "indicator": "https://metropcs.mobi", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://metropcs.mobi", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3757389274, "indicator": "https://metropcs.mobi", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "69e1d9cd805ecfc463bed935", "name": "BlackNet RAT clone credit octoseek", "description": "", "modified": "2026-04-18T00:51:09.427000", "created": "2026-04-17T06:57:17.378000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 781, "FileHash-SHA256": 3085, "domain": 528, "URL": 3130, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8508, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d877d6231fc1cbe1792ee1", "name": "PolyRansom attack through malicious actor on threat platforms", "description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom", "modified": "2025-10-27T22:02:25.163000", "created": "2025-09-27T23:48:38.895000", "tags": [ "iocs", "indicator role", "write c", "intel", "ms windows", "medium", "pe32", "delete", "ids detections", "yara detections", "write", "malware", "delete c", "windows", "high", "port", "encrypt", "tofsee", "stream", "passive dns", "http", "ip address", "related nids", "files location", "united states", "united", "win32", "trojan", "mtb may", "twitter", "hellspawn", "worm", "title", "emails", "servers", "get http", "dns resolutions", "http traffic", "command", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "request", "windows nt", "win64", "khtml", "gecko", "response", "present sep", "aaaa", "resolved ips", "ip traffic", "displayname", "yara rule", "loaderid", "name servers", "urls", "domain robot", "mail", "moved", "media gmbh", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "host", "generic http", "exe upload", "inbound", "outbound", "markus", "certificate", "record value", "object", "path", "server", "registrar abuse", "contact email", "contact phone", "registrar iana", "registrar url", "diablo", "gandi sas", "gandi", "diablo attacks", "bluemind", "alberta", "domain add", "asn as16625", "akamai", "less whois", "registrar", "metrobytmobile", "t mobile", "metro", "present jul", "present jun", "present aug", "germany unknown", "germany", "invalid url", "ipv4 add", "frankfurt", "main", "no entries", "entrust", "hostname add", "files loading", "mimic", "first address", "medium attempts", "process", "explorer", "windows startup", "kuwiqsma", "match medium", "medium installs", "installs", "t regdword", "user", "ntcreatefile", "filehandle", "createfilew", "getfilesize", "blpdqe", "jjqcpluanwwhg", "u0012", "desiredaccess", "keyhandle", "ntopenkeyex", "u001aw", "u0018", "read", "next", "tags none", "file type", "date september", "am size", "imphash pehash", "richhash", "south korea", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "as701 verizon", "verizon", "tcp syn", "infectednight", "resolverror", "tref neutral", "ck technique", "technique id", "tofsee high", "overview whois", "pulses", "tags", "related tags", "more external", "resources whois", "urlvoid", "tavao.exe", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "spawns", "access att", "ascii text", "pattern match", "mitre att", "size", "meta", "null", "error", "click", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe", "found", "t1480 execution", "backdoor", "a domains", "russia", "next associated", "link", "windir", "interesting", "show technique", "ck matrix", "network traffic", "t1071", "t1057", "lowfi", "gameforprofits", "game att", "night got", "job done infected" ], "references": [ "DiabloFans ClapBack: Google. Com", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "MetrobyT-mobile", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Virus.Virlock/Nabucur", "display_name": "Virus.Virlock/Nabucur", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 450, "FileHash-SHA1": 435, "FileHash-SHA256": 2092, "URL": 646, "domain": 593, "SSLCertFingerprint": 9, "hostname": 657, "email": 13 }, "indicator_count": 4895, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d877e28416d81633bae1ad", "name": "PolyRansom attack through malicious actor on threat platforms", "description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom", "modified": "2025-10-27T22:02:25.163000", "created": "2025-09-27T23:48:50.976000", "tags": [ "iocs", "indicator role", "write c", "intel", "ms windows", "medium", "pe32", "delete", "ids detections", "yara detections", "write", "malware", "delete c", "windows", "high", "port", "encrypt", "tofsee", "stream", "passive dns", "http", "ip address", "related nids", "files location", "united states", "united", "win32", "trojan", "mtb may", "twitter", "hellspawn", "worm", "title", "emails", "servers", "get http", "dns resolutions", "http traffic", "command", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "request", "windows nt", "win64", "khtml", "gecko", "response", "present sep", "aaaa", "resolved ips", "ip traffic", "displayname", "yara rule", "loaderid", "name servers", "urls", "domain robot", "mail", "moved", "media gmbh", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "host", "generic http", "exe upload", "inbound", "outbound", "markus", "certificate", "record value", "object", "path", "server", "registrar abuse", "contact email", "contact phone", "registrar iana", "registrar url", "diablo", "gandi sas", "gandi", "diablo attacks", "bluemind", "alberta", "domain add", "asn as16625", "akamai", "less whois", "registrar", "metrobytmobile", "t mobile", "metro", "present jul", "present jun", "present aug", "germany unknown", "germany", "invalid url", "ipv4 add", "frankfurt", "main", "no entries", "entrust", "hostname add", "files loading", "mimic", "first address", "medium attempts", "process", "explorer", "windows startup", "kuwiqsma", "match medium", "medium installs", "installs", "t regdword", "user", "ntcreatefile", "filehandle", "createfilew", "getfilesize", "blpdqe", "jjqcpluanwwhg", "u0012", "desiredaccess", "keyhandle", "ntopenkeyex", "u001aw", "u0018", "read", "next", "tags none", "file type", "date september", "am size", "imphash pehash", "richhash", "south korea", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "as701 verizon", "verizon", "tcp syn", "infectednight", "resolverror", "tref neutral", "ck technique", "technique id", "tofsee high", "overview whois", "pulses", "tags", "related tags", "more external", "resources whois", "urlvoid", "tavao.exe", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "spawns", "access att", "ascii text", "pattern match", "mitre att", "size", "meta", "null", "error", "click", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe", "found", "t1480 execution", "backdoor", "a domains", "russia", "next associated", "link", "windir", "interesting", "show technique", "ck matrix", "network traffic", "t1071", "t1057", "lowfi", "gameforprofits", "game att", "night got", "job done infected" ], "references": [ "DiabloFans ClapBack: Google. Com", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "MetrobyT-mobile", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Virus.Virlock/Nabucur", "display_name": "Virus.Virlock/Nabucur", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 450, "FileHash-SHA1": 435, "FileHash-SHA256": 2092, "URL": 646, "domain": 593, "SSLCertFingerprint": 9, "hostname": 657, "email": 13 }, "indicator_count": 4895, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6738d3aa876f83738d0", "name": "USZoom [New York , USA] | iPostal1", "description": "", "modified": "2024-07-01T23:00:42.052000", "created": "2024-07-01T00:21:07.491000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": "665bb7679843a6dabe4560e3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 1890, "URL": 10360, "domain": 1799, "hostname": 3994, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 18358, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "657 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5cb329096398f3411f4", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-12-06T16:48:11.311000", "created": "2023-12-06T16:48:11.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5ba6d66424b1992092e", "name": "BlackNet RAT", "description": "", "modified": "2023-12-06T16:47:54.897000", "created": "2023-12-06T16:47:54.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5b2ff4216fe9cd82624", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-12-06T16:47:46.826000", "created": "2023-12-06T16:47:46.826000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c39523aa8a52fdb1fa1", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:38:33.405000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c66e0b02a6dde4a8b7a", "name": "BlackNet RAT", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:18.306000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c39523aa8a52fdb1fa1", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c8adc78d892cadd250a", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:54.432000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "https://metro-tmo.com/", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "DiabloFans ClapBack: Google. Com", "Alienvault OTX", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Yara Detections: DotNET_Reactor", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Hybrid Analysis", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "https://uszoom.com/", "Yara Detections stack_string , Armadillov1xxv2xx", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Data Analysis", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "MetrobyT-mobile", "Malicious Score: 10", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/vflooder", "Formbook", "Suppobox", "Artemis", "Trojandownloader:o97m/bazaloader", "Mimikatz", "Virut", "Trojanspy", "Win32.meredrop checkin", "Alf:pua:win32/opencandy", "#lowfi:hstr:trojanspy:win32/bancos", "Pdf.phishing.ttraffrobotinstall-7605656-0", "Alf:trojan:o97m/emotet", "Win.virus.polyransom-5704625-0", "Ramnit", "Quasar rat", "Alf:pua:win32/fusioncore", "Virus:dos/metro", "Maltiverse", "Squirrelwaffle", "Beach research", "Cobalt strike - s0154", "Azorult", "Backdoor:msil/bladabindi", "Win.trojan.sdum-9807706-0", "Backdoor:win32/zbot", "Trojan:win32/installcore", "Irata", "Metro", "Win.keylogger.susppack-9876601-0", "Backdoor:win32/outbreak", "Unix.dropper.mirai-7135870-0", "Blacknet rat", "Vidar", "Win.packer.pkr_ce1a-9980177-0", "Tofsee", "Pony - s0453", "Virus.virlock/nabucur", "Trojandropper:vbs/swrort" ], "industries": [ "Entertainment", "Technology", "Gas", "Civil society", "Telecommunications", "Food" ], "unique_indicators": 33087 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/metropcs.mobi", "whois": "http://whois.domaintools.com/metropcs.mobi", "domain": "metropcs.mobi", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "69e1d9cd805ecfc463bed935", "name": "BlackNet RAT clone credit octoseek", "description": "", "modified": "2026-04-18T00:51:09.427000", "created": "2026-04-17T06:57:17.378000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 781, "FileHash-SHA256": 3085, "domain": 528, "URL": 3130, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8508, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d877d6231fc1cbe1792ee1", "name": "PolyRansom attack through malicious actor on threat platforms", "description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom", "modified": "2025-10-27T22:02:25.163000", "created": "2025-09-27T23:48:38.895000", "tags": [ "iocs", "indicator role", "write c", "intel", "ms windows", "medium", "pe32", "delete", "ids detections", "yara detections", "write", "malware", "delete c", "windows", "high", "port", "encrypt", "tofsee", "stream", "passive dns", "http", "ip address", "related nids", "files location", "united states", "united", "win32", "trojan", "mtb may", "twitter", "hellspawn", "worm", "title", "emails", "servers", "get http", "dns resolutions", "http traffic", "command", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "request", "windows nt", "win64", "khtml", "gecko", "response", "present sep", "aaaa", "resolved ips", "ip traffic", "displayname", "yara rule", "loaderid", "name servers", "urls", "domain robot", "mail", "moved", "media gmbh", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "host", "generic http", "exe upload", "inbound", "outbound", "markus", "certificate", "record value", "object", "path", "server", "registrar abuse", "contact email", "contact phone", "registrar iana", "registrar url", "diablo", "gandi sas", "gandi", "diablo attacks", "bluemind", "alberta", "domain add", "asn as16625", "akamai", "less whois", "registrar", "metrobytmobile", "t mobile", "metro", "present jul", "present jun", "present aug", "germany unknown", "germany", "invalid url", "ipv4 add", "frankfurt", "main", "no entries", "entrust", "hostname add", "files loading", "mimic", "first address", "medium attempts", "process", "explorer", "windows startup", "kuwiqsma", "match medium", "medium installs", "installs", "t regdword", "user", "ntcreatefile", "filehandle", "createfilew", "getfilesize", "blpdqe", "jjqcpluanwwhg", "u0012", "desiredaccess", "keyhandle", "ntopenkeyex", "u001aw", "u0018", "read", "next", "tags none", "file type", "date september", "am size", "imphash pehash", "richhash", "south korea", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "as701 verizon", "verizon", "tcp syn", "infectednight", "resolverror", "tref neutral", "ck technique", "technique id", "tofsee high", "overview whois", "pulses", "tags", "related tags", "more external", "resources whois", "urlvoid", "tavao.exe", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "spawns", "access att", "ascii text", "pattern match", "mitre att", "size", "meta", "null", "error", "click", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe", "found", "t1480 execution", "backdoor", "a domains", "russia", "next associated", "link", "windir", "interesting", "show technique", "ck matrix", "network traffic", "t1071", "t1057", "lowfi", "gameforprofits", "game att", "night got", "job done infected" ], "references": [ "DiabloFans ClapBack: Google. Com", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "MetrobyT-mobile", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Virus.Virlock/Nabucur", "display_name": "Virus.Virlock/Nabucur", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 450, "FileHash-SHA1": 435, "FileHash-SHA256": 2092, "URL": 646, "domain": 593, "SSLCertFingerprint": 9, "hostname": 657, "email": 13 }, "indicator_count": 4895, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d877e28416d81633bae1ad", "name": "PolyRansom attack through malicious actor on threat platforms", "description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom", "modified": "2025-10-27T22:02:25.163000", "created": "2025-09-27T23:48:50.976000", "tags": [ "iocs", "indicator role", "write c", "intel", "ms windows", "medium", "pe32", "delete", "ids detections", "yara detections", "write", "malware", "delete c", "windows", "high", "port", "encrypt", "tofsee", "stream", "passive dns", "http", "ip address", "related nids", "files location", "united states", "united", "win32", "trojan", "mtb may", "twitter", "hellspawn", "worm", "title", "emails", "servers", "get http", "dns resolutions", "http traffic", "command", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "request", "windows nt", "win64", "khtml", "gecko", "response", "present sep", "aaaa", "resolved ips", "ip traffic", "displayname", "yara rule", "loaderid", "name servers", "urls", "domain robot", "mail", "moved", "media gmbh", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "manager", "shutdown", "host", "generic http", "exe upload", "inbound", "outbound", "markus", "certificate", "record value", "object", "path", "server", "registrar abuse", "contact email", "contact phone", "registrar iana", "registrar url", "diablo", "gandi sas", "gandi", "diablo attacks", "bluemind", "alberta", "domain add", "asn as16625", "akamai", "less whois", "registrar", "metrobytmobile", "t mobile", "metro", "present jul", "present jun", "present aug", "germany unknown", "germany", "invalid url", "ipv4 add", "frankfurt", "main", "no entries", "entrust", "hostname add", "files loading", "mimic", "first address", "medium attempts", "process", "explorer", "windows startup", "kuwiqsma", "match medium", "medium installs", "installs", "t regdword", "user", "ntcreatefile", "filehandle", "createfilew", "getfilesize", "blpdqe", "jjqcpluanwwhg", "u0012", "desiredaccess", "keyhandle", "ntopenkeyex", "u001aw", "u0018", "read", "next", "tags none", "file type", "date september", "am size", "imphash pehash", "richhash", "south korea", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "as701 verizon", "verizon", "tcp syn", "infectednight", "resolverror", "tref neutral", "ck technique", "technique id", "tofsee high", "overview whois", "pulses", "tags", "related tags", "more external", "resources whois", "urlvoid", "tavao.exe", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "defense evasion", "spawns", "access att", "ascii text", "pattern match", "mitre att", "size", "meta", "null", "error", "click", "roboto", "hybrid", "general", "local", "starfield", "strings", "refresh", "tools", "onload", "span", "iframe", "found", "t1480 execution", "backdoor", "a domains", "russia", "next associated", "link", "windir", "interesting", "show technique", "ck matrix", "network traffic", "t1071", "t1057", "lowfi", "gameforprofits", "game att", "night got", "job done infected" ], "references": [ "DiabloFans ClapBack: Google. Com", "Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match", "CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match", "Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header", "Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection", "MetrobyT-mobile", "UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic", "Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.", "Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766", "Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra", "Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon", "Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Virus.Virlock/Nabucur", "display_name": "Virus.Virlock/Nabucur", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 450, "FileHash-SHA1": 435, "FileHash-SHA256": 2092, "URL": 646, "domain": 593, "SSLCertFingerprint": 9, "hostname": 657, "email": 13 }, "indicator_count": 4895, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6738d3aa876f83738d0", "name": "USZoom [New York , USA] | iPostal1", "description": "", "modified": "2024-07-01T23:00:42.052000", "created": "2024-07-01T00:21:07.491000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": "665bb7679843a6dabe4560e3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 1890, "URL": 10360, "domain": 1799, "hostname": 3994, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 18358, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "657 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5cb329096398f3411f4", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-12-06T16:48:11.311000", "created": "2023-12-06T16:48:11.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5ba6d66424b1992092e", "name": "BlackNet RAT", "description": "", "modified": "2023-12-06T16:47:54.897000", "created": "2023-12-06T16:47:54.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5b2ff4216fe9cd82624", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-12-06T16:47:46.826000", "created": "2023-12-06T16:47:46.826000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c39523aa8a52fdb1fa1", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:38:33.405000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c66e0b02a6dde4a8b7a", "name": "BlackNet RAT", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:18.306000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c39523aa8a52fdb1fa1", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://metropcs.mobi", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://metropcs.mobi", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776681424.8927364 }