{ "type": "URL", "indicator": "https://moves2idaho.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://moves2idaho.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4355598491, "indicator": "https://moves2idaho.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6a030a7e7af998b0bc50d255", "name": "Inbox Termination Flood VirusTotal report for download.rar", "description": "[Malicious: Rar.rar (Rar!S8:z}b), a free archive that can be downloaded via 7Zip or 7zip, for use in the Windows operating system.] This email has vast capbilities, some of the best are email flooding, retrieval, destruction, extraction, tasks and more. This email on 6/3/25 led a client into a wormhole that they never actually got the delievery of it. Just the compliance locked email that destroyed their identity. It appears the temp folder that housed in malicious scripts was made months prior. I could not upload the Cape sandbox. Bundled 58, dropped 58, ensuring you will never get your life back.", "modified": "2026-05-12T11:49:25.043000", "created": "2026-05-12T11:09:50.783000", "tags": [ "file type", "crlf line", "ascii text", "unicode text", "utf8 text", "html document", "json", "python script", "mitre attack", "network info", "window", "next", "flood email", "drops prompts", "malicious", "illegal", "gov", "crosstenant", "prepared months before in temp folder" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/86a27baba6d32b5c6fba49e2e99864c7d0feada360b55cfc63adb4383e58be77_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778583610&Signature=f3mubmpIGOjgn7yQIqVaPC8J5mcemkwpt3Yl3noIO7eheDcS0pvTXfJfGi4WzCTHzTXgjtWE36sh%2BSHtRa%2FHFX1lvvQnPgqQpvY%2FDVlhYYVKl1nwyiZFuUZliHBmes0%2FGUhViWWRiyYHxDkn7Yj7fV7EMQqnCtlxO%2FMVJf5%2BsmjEkpk%2Frahm4sEcFERizEQtsZBKSnnp%2B1v6RFDphsiX0Ri0ZISYRqmGpmH%2FGvP2%2FQKrXXc9br" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 212, "IPv4": 77, "URL": 398, "domain": 503, "hostname": 347, "email": 4 }, "indicator_count": 1557, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/86a27baba6d32b5c6fba49e2e99864c7d0feada360b55cfc63adb4383e58be77_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778583610&Signature=f3mubmpIGOjgn7yQIqVaPC8J5mcemkwpt3Yl3noIO7eheDcS0pvTXfJfGi4WzCTHzTXgjtWE36sh%2BSHtRa%2FHFX1lvvQnPgqQpvY%2FDVlhYYVKl1nwyiZFuUZliHBmes0%2FGUhViWWRiyYHxDkn7Yj7fV7EMQqnCtlxO%2FMVJf5%2BsmjEkpk%2Frahm4sEcFERizEQtsZBKSnnp%2B1v6RFDphsiX0Ri0ZISYRqmGpmH%2FGvP2%2FQKrXXc9br" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 712 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/moves2idaho.com", "whois": "http://whois.domaintools.com/moves2idaho.com", "domain": "moves2idaho.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a030a7e7af998b0bc50d255", "name": "Inbox Termination Flood VirusTotal report for download.rar", "description": "[Malicious: Rar.rar (Rar!S8:z}b), a free archive that can be downloaded via 7Zip or 7zip, for use in the Windows operating system.] This email has vast capbilities, some of the best are email flooding, retrieval, destruction, extraction, tasks and more. This email on 6/3/25 led a client into a wormhole that they never actually got the delievery of it. Just the compliance locked email that destroyed their identity. It appears the temp folder that housed in malicious scripts was made months prior. I could not upload the Cape sandbox. Bundled 58, dropped 58, ensuring you will never get your life back.", "modified": "2026-05-12T11:49:25.043000", "created": "2026-05-12T11:09:50.783000", "tags": [ "file type", "crlf line", "ascii text", "unicode text", "utf8 text", "html document", "json", "python script", "mitre attack", "network info", "window", "next", "flood email", "drops prompts", "malicious", "illegal", "gov", "crosstenant", "prepared months before in temp folder" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/86a27baba6d32b5c6fba49e2e99864c7d0feada360b55cfc63adb4383e58be77_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778583610&Signature=f3mubmpIGOjgn7yQIqVaPC8J5mcemkwpt3Yl3noIO7eheDcS0pvTXfJfGi4WzCTHzTXgjtWE36sh%2BSHtRa%2FHFX1lvvQnPgqQpvY%2FDVlhYYVKl1nwyiZFuUZliHBmes0%2FGUhViWWRiyYHxDkn7Yj7fV7EMQqnCtlxO%2FMVJf5%2BsmjEkpk%2Frahm4sEcFERizEQtsZBKSnnp%2B1v6RFDphsiX0Ri0ZISYRqmGpmH%2FGvP2%2FQKrXXc9br" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 212, "IPv4": 77, "URL": 398, "domain": 503, "hostname": 347, "email": 4 }, "indicator_count": 1557, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://moves2idaho.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://moves2idaho.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780318876.6277132 }