{ "type": "URL", "indicator": "https://ns-18.awsdns-02.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ns-18.awsdns-02.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3135673850, "indicator": "https://ns-18.awsdns-02.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "69dba8a0f375964d468b9ba0", "name": "Credit: DorkingBeauty1- Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye", "description": "", "modified": "2026-04-12T14:17:39.016000", "created": "2026-04-12T14:13:52.560000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "ecacc", "gmtetag", "date", "sha256", "pcap", "path", "accept", "back", "close", "click", "solid", "class", "flame", "splash", "verify", "direct", "suspicious", "malicious", "sybuex", "core", "agent", "code", "model", "next", "first", "phase", "impact", "trim", "hybrid", "hosts", "format", "general", "strings", "dupont", "meta", "body", "local", "trident", "gynx", "mozilla" ], "references": [ "https://hybrid-analysis.com/sample/62b6cea0e6e2b40533d835de1968ce767764a36f1f9de2b603ddc2d72aa5e246?environmentId=100", "https://hybrid-analysis.com/sample/1e018f44cfe693f0cd2a5e6491a21eb65bdd0f02fb694eb131eaf5d9118f39ee?environmentId=100", "https://hybrid-analysis.com/sample/e9425c4658ad484851e6b207e7c1ebb7df9da7f793bc35216c46285ef224aa83?environmentId=100", "ok12110.ok1.chatbot.lab.works-hi.co.jp", "ns-19.awsdns-02.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "622772a53274b509660d46af", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 902, "domain": 338, "URL": 1721, "FileHash-SHA256": 558, "email": 4, "CVE": 1, "FileHash-MD5": 159, "FileHash-SHA1": 128, "IPv4": 3 }, "indicator_count": 3814, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570908823f97b5559b71806", "name": ";http://tiktok.hop3.pw/EaL8Ufp - Hybrid A report upliad", "description": "", "modified": "2023-12-06T15:17:28.460000", "created": "2023-12-06T15:17:28.460000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 239, "domain": 403, "email": 10, "URL": 1032, "hostname": 561, "FileHash-MD5": 84, "FileHash-SHA1": 49 }, "indicator_count": 2378, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708d3fec7eeee20ce02403", "name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage", "description": "", "modified": "2023-12-06T15:03:27.390000", "created": "2023-12-06T15:03:27.390000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1374, "hostname": 792, "domain": 517, "URL": 1529, "FileHash-MD5": 81, "FileHash-SHA1": 71 }, "indicator_count": 4366, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708a8f3203633312147d1e", "name": "www.virgilio. various Malacious tld's", "description": "", "modified": "2023-12-06T14:51:59.166000", "created": "2023-12-06T14:51:59.166000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 238, "URL": 818, "domain": 177, "hostname": 336, "email": 6, "FileHash-MD5": 79, "FileHash-SHA1": 47 }, "indicator_count": 1702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657089bdb1d8a5ad0edc6614", "name": "http://www.diapers.com.sg/GOO.N-Japan-Version-Diapers-Pants/", "description": "", "modified": "2023-12-06T14:48:29.397000", "created": "2023-12-06T14:48:29.397000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 307, "domain": 149, "hostname": 299, "URL": 602, "email": 4, "FileHash-MD5": 59, "FileHash-SHA1": 53 }, "indicator_count": 1474, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708172b5b5810d62645bfe", "name": "http://adwcleaner.malwarebytes.com/ and cloudfront hosts", "description": "", "modified": "2023-12-06T14:13:06.127000", "created": "2023-12-06T14:13:06.127000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 516, "FileHash-SHA256": 340, "URL": 713, "email": 3, "domain": 356, "FileHash-MD5": 119, "FileHash-SHA1": 59, "SSLCertFingerprint": 4 }, "indicator_count": 2110, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657080d7cc6525322cdb9052", "name": "Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye", "description": "", "modified": "2023-12-06T14:10:31.519000", "created": "2023-12-06T14:10:31.519000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 537, "hostname": 888, "URL": 1698, "email": 4, "domain": 337, "CVE": 1, "FileHash-MD5": 159, "FileHash-SHA1": 127 }, "indicator_count": 3751, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6431d1244a8ae763a8d5ed74", "name": "http://hm732.com/ - v2 all and sundrie", "description": "", "modified": "2023-05-08T20:02:01.231000", "created": "2023-04-08T20:40:04.099000", "tags": [ "trojan", "chromeua", "dropped file", "optout", "runtime data", "object", "drmedgeua", "unicode", "optin", "edgeua", "span", "error", "win64", "date", "format", "addressbar", "generator", "path", "template", "suspicious", "unknown", "void", "desktop", "dark", "light", "mozilla", "this", "cookie", "meta", "iframe", "window", "legend", "null", "wind", "strings", "qakbot", "http://hm732.com/" ], "references": [ "https://hybrid-analysis.com/sample/bca1a3df6a236ec7870fbae8a5d5c5597347dad17f9b00e49c05ab1eb8e87f83/64319a805d10c703330b366e" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2345, "hostname": 951, "domain": 405, "FileHash-SHA256": 82, "FileHash-MD5": 63, "FileHash-SHA1": 61, "email": 5 }, "indicator_count": 3912, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1077 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62e80d56fba248bac0744780", "name": "\ud83e\udd14\ud83d\udea8 Could this be the source of all Evil? \ud83d\udea8\ud83e\udd14 Nubotnet - Team:KU Leuven/test2 - 2021.igem.org", "description": "", "modified": "2022-08-31T00:01:05.509000", "created": "2022-08-01T17:28:54.991000", "tags": [ "apt", "runtime data", "decrypted ssl", "pcap", "windows nt", "tops", "cookie", "typeof t", "element", "error", "matrix", "typeerror", "bmfloor", "frameelement", "null", "skew", "parade" ], "references": [ "https://2021.igem.org/Team:KU_Leuven/test2", "https://hybrid-analysis.com/sample/e126ff94aac3340dc05a27f062c4267cbfeaa998248bef0e72f000bba711aa76/62e6fb475edc950b894aa7b0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1696, "domain": 586, "hostname": 613, "FileHash-SHA256": 533, "FileHash-MD5": 34, "FileHash-SHA1": 33, "email": 1 }, "indicator_count": 3496, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62d9e3e8f8a916986b59d0fb", "name": ";http://tiktok.hop3.pw/EaL8Ufp - Hybrid A report upliad", "description": "", "modified": "2022-08-21T00:01:29.251000", "created": "2022-07-21T23:40:24.902000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "threat level", "date", "windows nt", "pcap", "sha256", "pcap processing", "report domain", "accept", "core", "roboto", "gondi", "twitter", "obfa", "hybrid", "close", "click", "hosts", "malicious", "general", "local", "lana", "mozi", "trident", "strings", "suspicious", "hop3.pw" ], "references": [ "https://www.hybrid-analysis.com/sample/facdbc6b7b2cb2a4ba4d45dc831c29834813a8690a81d206e3472b2aacd926bd/62d6a6da34c2b45239660f93" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 561, "domain": 403, "FileHash-SHA256": 239, "URL": 1032, "email": 10, "FileHash-MD5": 84, "FileHash-SHA1": 49 }, "indicator_count": 2378, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62b05f8c261c86a70d541ee2", "name": "http://irs.gov/efile", "description": "", "modified": "2022-07-20T00:04:04.226000", "created": "2022-06-20T11:52:44.182000", "tags": [ "malware", "trojan", "apt", "windows nt", "patch", "june", "local", "team", "february", "b3sitos" ], "references": [ "Hybrid-A gives clean bill of health with all this nastyness ??????", "Found malicious artifacts related to \"108.156.107.37\": ... URL: https://daycoval.facildepagar.com.br/ (AV positives: 8/95 scanned on 06/19/2022 01:54:19) URL: https://search.thejobspotter.com/ (AV positives: 1/95 scanned on 06/17/2022 18:02:39) URL: http://www.onlyonesearch.com/?q=caixa%20geral%20de%20dep%C3%B3sitos%20caixadirecta (AV positives: 1/95 scanned on 06/17/2022 04:21:41) URL: https://dp.la/search (AV positives: 1/95 scanned on 06/14/2022 18:12:11) URL: http://www.ute.com/templates/email_signatur", "https://hybrid-analysis.com/sample/f5c28aaa1eed64eb2abcc9bf3208dbd597b01d0eff7cb0abbcecaf70b77eec3c/62afaa107abd8e4632069a53" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 333, "URL": 509, "domain": 285, "FileHash-SHA256": 196, "CVE": 1, "FileHash-MD5": 56, "FileHash-SHA1": 51, "email": 2 }, "indicator_count": 1433, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "629b50216b11e3d786f4a5e9", "name": "- GNS3", "description": "", "modified": "2022-07-04T00:03:29.389000", "created": "2022-06-04T12:29:21.310000", "tags": [ "decrypted ssl", "windows nt", "local", "factory", "february" ], "references": [ "http://reviews.gns3.com/", "https://hybrid-analysis.com/sample/ec9301fa384e42acecc146ee968746c58a5f2d5d89bc458a34cccbff67a7fec9/629317f648d8dd3f412c289a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 436, "URL": 873, "domain": 313, "FileHash-SHA256": 108, "FileHash-MD5": 54, "CVE": 1, "FileHash-SHA1": 50, "email": 1 }, "indicator_count": 1836, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1386 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62727ce7b14807e910b72bb7", "name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage", "description": "and that 72 ip at edgcast thats listed as false positive....\n\ud83e\udee2\ud83e\udd2f\ud83e\udd2c everything communucating with it is MALICIOUS and font and lang file corruption means the www is causing it!!!", "modified": "2022-06-03T00:01:00.120000", "created": "2022-05-04T13:17:27.444000", "tags": [], "references": [ "https://hybrid-analysis.com/sample/fcf01007f38956f164a86deda652684fe6c76c41db32f5ac38a43712615154dc/6271a3fc12c9eb6e7053caf1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1529, "hostname": 792, "domain": 517, "FileHash-SHA256": 1374, "CVE": 2, "FileHash-MD5": 81, "FileHash-SHA1": 71 }, "indicator_count": 4366, "is_author": false, "is_subscribing": null, "subscriber_count": 397, "modified_text": "1417 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6264b524008ccee1d221f967", "name": "statcounter nefarious ad and analytics in platform webapp delivered ads", "description": "", "modified": "2022-05-24T00:01:27.321000", "created": "2022-04-24T02:25:40.062000", "tags": [ "associated urls", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "section", "ansi", "threat level", "header", "messages", "surveymonkey", "chrome", "firefox", "safari", "microsoft", "date", "span", "path", "body", "accept", "explorer", "suspicious", "main", "hybrid", "close", "click", "hosts", "april", "malicious", "general", "local", "factory", "strings", "team", "february", "hybrid analysis", "input", "report", "falcon sandbox", "please note", "data protection", "policy", "https", "memoryfile scan", "windir", "openurl c", "urlhttps", "pmuid", "no expiration", "filehashsha256", "url http", "expiration" ], "references": [ "https://onetag-sys.com/usync/?pubId=6b859b96c564fbe", "https://sync.richaudience.com/74889303289e27f327ad0c6de7be7264/?p=1BTOoaD22a&consentString=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&ccpa_", "https://ssbsync.smartadserver.com/api/sync?callerId=43&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA", "https://ads.pubmatic.com/AdServer/js/user_sync.html?p=159110&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&us_privacy=1---", "https://hybrid-analysis.com/sample/de66bd83860e9dc66969b28f3b93b36c07c5f9d9568f13b07f0e1928490d6945/62649e273fcef808fa4c2bbb", "https://hybrid-analysis.com/sample/9116e707b9da6b1047df9412e29b816726ba3aa6ebc91d77f7f47741ccb7b7bd/6264a22fa3836270e73495b3", "https://hybrid-analysis.com/sample/b3d7008253008166b2abeb2fcc642d9c5e354435f7cb83a681b3cba82840002e/62626a096a89191d343c4546", "usync.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 693, "hostname": 325, "domain": 205, "FileHash-SHA256": 148, "FileHash-MD5": 31, "CVE": 1, "FileHash-SHA1": 22, "email": 3 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62498485afc3d6ebba050b8b", "name": "www.virgilio. various Malacious tld's", "description": "", "modified": "2022-05-03T00:01:26.398000", "created": "2022-04-03T11:27:01.556000", "tags": [ "virgillo" ], "references": [ "https://hybrid-analysis.com/sample/c914c5cc1371bbc7d2285bbbeec77a94a0d1586c73d3a3f95b48766f1452cca8/6248c9f1f90df91459524ac8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 336, "domain": 177, "URL": 818, "FileHash-SHA256": 238, "CVE": 1, "FileHash-MD5": 79, "FileHash-SHA1": 47, "email": 6 }, "indicator_count": 1702, "is_author": false, "is_subscribing": null, "subscriber_count": 397, "modified_text": "1448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6236fd4f28c3eb5b44fc33ae", "name": "http://www.diapers.com.sg/GOO.N-Japan-Version-Diapers-Pants/", "description": "", "modified": "2022-04-19T00:01:05.210000", "created": "2022-03-20T10:09:19.042000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "threat level", "date", "windows nt", "sha256", "pcap", "pcap processing", "report domain", "accept", "path", "error", "suspicious", "malicious", "this", "vvsc", "hybrid", "close", "click", "hosts", "general", "local", "trident", "strings" ], "references": [ "https://hybrid-analysis.com/sample/d6efd0eda408fff305f6281307657f61e344e24345dfbbb166b4ca50f7abff0d/6236eaf4900f62451b39492f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 602, "hostname": 299, "domain": 149, "FileHash-SHA256": 307, "email": 4, "CVE": 1, "FileHash-MD5": 59, "FileHash-SHA1": 53 }, "indicator_count": 1474, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1462 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622c42836d7c741d4156fc83", "name": "http://adwcleaner.malwarebytes.com/ and cloudfront hosts", "description": "T1553", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T06:49:39.036000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "tcomparer", "tlist", "tarray", "path", "icomparer", "tcomparison", "tenumerator", "suspicious", "date", "delphi", "error", "hybrid", "close", "click", "hosts", "stack", "win32", "malicious", "general", "pecompact", "strings", "code", "data", "decrypted ssl", "threat level", "windows nt", "pcap", "pcap processing", "sha256", "report domain", "accept", "core", "false", "local", "mozilla" ], "references": [ "https://hybrid-analysis.com/sample/ac15b6c5ede04e496b08523bf7deac3694dc3cd34474a9d4e57e23255f56b647/6222a011962dca32330a5c2d", "https://hybrid-analysis.com/sample/246eb0388eff22439e0b48cd3d5ffa8c434559c52638ed166d8b96b2b8fea7ac/61f4919bf315615dd65ca107" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 516, "URL": 713, "FileHash-SHA256": 340, "domain": 356, "FileHash-MD5": 119, "FileHash-SHA1": 59, "email": 3, "SSLCertFingerprint": 4 }, "indicator_count": 2110, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1470 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622772a53274b509660d46af", "name": "Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye", "description": "so much familiarity here from the last 5 Years, this is by far compromise on supply chain of the century all the big boys are featured no surprise to me. The question is just how many are compromised from home routers and personal devices", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-08T15:13:41.976000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "ecacc", "gmtetag", "date", "sha256", "pcap", "path", "accept", "back", "close", "click", "solid", "class", "flame", "splash", "verify", "direct", "suspicious", "malicious", "sybuex", "core", "agent", "code", "model", "next", "first", "phase", "impact", "trim", "hybrid", "hosts", "format", "general", "strings", "dupont", "meta", "body", "local", "trident", "gynx", "mozilla" ], "references": [ "https://hybrid-analysis.com/sample/62b6cea0e6e2b40533d835de1968ce767764a36f1f9de2b603ddc2d72aa5e246?environmentId=100", "https://hybrid-analysis.com/sample/1e018f44cfe693f0cd2a5e6491a21eb65bdd0f02fb694eb131eaf5d9118f39ee?environmentId=100", "https://hybrid-analysis.com/sample/e9425c4658ad484851e6b207e7c1ebb7df9da7f793bc35216c46285ef224aa83?environmentId=100", "ok12110.ok1.chatbot.lab.works-hi.co.jp", "ns-19.awsdns-02.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 888, "domain": 337, "URL": 1698, "FileHash-SHA256": 537, "email": 4, "CVE": 1, "FileHash-MD5": 159, "FileHash-SHA1": 127 }, "indicator_count": 3751, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://reviews.gns3.com/", "https://hybrid-analysis.com/sample/9116e707b9da6b1047df9412e29b816726ba3aa6ebc91d77f7f47741ccb7b7bd/6264a22fa3836270e73495b3", "https://hybrid-analysis.com/sample/246eb0388eff22439e0b48cd3d5ffa8c434559c52638ed166d8b96b2b8fea7ac/61f4919bf315615dd65ca107", "https://hybrid-analysis.com/sample/1e018f44cfe693f0cd2a5e6491a21eb65bdd0f02fb694eb131eaf5d9118f39ee?environmentId=100", "https://hybrid-analysis.com/sample/e126ff94aac3340dc05a27f062c4267cbfeaa998248bef0e72f000bba711aa76/62e6fb475edc950b894aa7b0", "https://hybrid-analysis.com/sample/fcf01007f38956f164a86deda652684fe6c76c41db32f5ac38a43712615154dc/6271a3fc12c9eb6e7053caf1", "https://hybrid-analysis.com/sample/de66bd83860e9dc66969b28f3b93b36c07c5f9d9568f13b07f0e1928490d6945/62649e273fcef808fa4c2bbb", "https://hybrid-analysis.com/sample/d6efd0eda408fff305f6281307657f61e344e24345dfbbb166b4ca50f7abff0d/6236eaf4900f62451b39492f", "https://sync.richaudience.com/74889303289e27f327ad0c6de7be7264/?p=1BTOoaD22a&consentString=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&ccpa_", "usync.html", "https://hybrid-analysis.com/sample/ac15b6c5ede04e496b08523bf7deac3694dc3cd34474a9d4e57e23255f56b647/6222a011962dca32330a5c2d", "https://hybrid-analysis.com/sample/bca1a3df6a236ec7870fbae8a5d5c5597347dad17f9b00e49c05ab1eb8e87f83/64319a805d10c703330b366e", "https://hybrid-analysis.com/sample/b3d7008253008166b2abeb2fcc642d9c5e354435f7cb83a681b3cba82840002e/62626a096a89191d343c4546", "https://onetag-sys.com/usync/?pubId=6b859b96c564fbe", "https://hybrid-analysis.com/sample/f5c28aaa1eed64eb2abcc9bf3208dbd597b01d0eff7cb0abbcecaf70b77eec3c/62afaa107abd8e4632069a53", "https://hybrid-analysis.com/sample/62b6cea0e6e2b40533d835de1968ce767764a36f1f9de2b603ddc2d72aa5e246?environmentId=100", "ok12110.ok1.chatbot.lab.works-hi.co.jp", "https://2021.igem.org/Team:KU_Leuven/test2", "https://hybrid-analysis.com/sample/c914c5cc1371bbc7d2285bbbeec77a94a0d1586c73d3a3f95b48766f1452cca8/6248c9f1f90df91459524ac8", "https://www.hybrid-analysis.com/sample/facdbc6b7b2cb2a4ba4d45dc831c29834813a8690a81d206e3472b2aacd926bd/62d6a6da34c2b45239660f93", "https://hybrid-analysis.com/sample/ec9301fa384e42acecc146ee968746c58a5f2d5d89bc458a34cccbff67a7fec9/629317f648d8dd3f412c289a", "https://ssbsync.smartadserver.com/api/sync?callerId=43&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA", "https://ads.pubmatic.com/AdServer/js/user_sync.html?p=159110&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&us_privacy=1---", "ns-19.awsdns-02.com", "Hybrid-A gives clean bill of health with all this nastyness ??????", "https://hybrid-analysis.com/sample/e9425c4658ad484851e6b207e7c1ebb7df9da7f793bc35216c46285ef224aa83?environmentId=100", "Found malicious artifacts related to \"108.156.107.37\": ... URL: https://daycoval.facildepagar.com.br/ (AV positives: 8/95 scanned on 06/19/2022 01:54:19) URL: https://search.thejobspotter.com/ (AV positives: 1/95 scanned on 06/17/2022 18:02:39) URL: http://www.onlyonesearch.com/?q=caixa%20geral%20de%20dep%C3%B3sitos%20caixadirecta (AV positives: 1/95 scanned on 06/17/2022 04:21:41) URL: https://dp.la/search (AV positives: 1/95 scanned on 06/14/2022 18:12:11) URL: http://www.ute.com/templates/email_signatur" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 50885 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/awsdns-02.com", "whois": "http://whois.domaintools.com/awsdns-02.com", "domain": "awsdns-02.com", "hostname": "ns-18.awsdns-02.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "69dba8a0f375964d468b9ba0", "name": "Credit: DorkingBeauty1- Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye", "description": "", "modified": "2026-04-12T14:17:39.016000", "created": "2026-04-12T14:13:52.560000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "ecacc", "gmtetag", "date", "sha256", "pcap", "path", "accept", "back", "close", "click", "solid", "class", "flame", "splash", "verify", "direct", "suspicious", "malicious", "sybuex", "core", "agent", "code", "model", "next", "first", "phase", "impact", "trim", "hybrid", "hosts", "format", "general", "strings", "dupont", "meta", "body", "local", "trident", "gynx", "mozilla" ], "references": [ "https://hybrid-analysis.com/sample/62b6cea0e6e2b40533d835de1968ce767764a36f1f9de2b603ddc2d72aa5e246?environmentId=100", "https://hybrid-analysis.com/sample/1e018f44cfe693f0cd2a5e6491a21eb65bdd0f02fb694eb131eaf5d9118f39ee?environmentId=100", "https://hybrid-analysis.com/sample/e9425c4658ad484851e6b207e7c1ebb7df9da7f793bc35216c46285ef224aa83?environmentId=100", "ok12110.ok1.chatbot.lab.works-hi.co.jp", "ns-19.awsdns-02.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "622772a53274b509660d46af", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 902, "domain": 338, "URL": 1721, "FileHash-SHA256": 558, "email": 4, "CVE": 1, "FileHash-MD5": 159, "FileHash-SHA1": 128, "IPv4": 3 }, "indicator_count": 3814, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570908823f97b5559b71806", "name": ";http://tiktok.hop3.pw/EaL8Ufp - Hybrid A report upliad", "description": "", "modified": "2023-12-06T15:17:28.460000", "created": "2023-12-06T15:17:28.460000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 239, "domain": 403, "email": 10, "URL": 1032, "hostname": 561, "FileHash-MD5": 84, "FileHash-SHA1": 49 }, "indicator_count": 2378, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708d3fec7eeee20ce02403", "name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage", "description": "", "modified": "2023-12-06T15:03:27.390000", "created": "2023-12-06T15:03:27.390000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1374, "hostname": 792, "domain": 517, "URL": 1529, "FileHash-MD5": 81, "FileHash-SHA1": 71 }, "indicator_count": 4366, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708a8f3203633312147d1e", "name": "www.virgilio. various Malacious tld's", "description": "", "modified": "2023-12-06T14:51:59.166000", "created": "2023-12-06T14:51:59.166000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 238, "URL": 818, "domain": 177, "hostname": 336, "email": 6, "FileHash-MD5": 79, "FileHash-SHA1": 47 }, "indicator_count": 1702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657089bdb1d8a5ad0edc6614", "name": "http://www.diapers.com.sg/GOO.N-Japan-Version-Diapers-Pants/", "description": "", "modified": "2023-12-06T14:48:29.397000", "created": "2023-12-06T14:48:29.397000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 307, "domain": 149, "hostname": 299, "URL": 602, "email": 4, "FileHash-MD5": 59, "FileHash-SHA1": 53 }, "indicator_count": 1474, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708172b5b5810d62645bfe", "name": "http://adwcleaner.malwarebytes.com/ and cloudfront hosts", "description": "", "modified": "2023-12-06T14:13:06.127000", "created": "2023-12-06T14:13:06.127000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 516, "FileHash-SHA256": 340, "URL": 713, "email": 3, "domain": 356, "FileHash-MD5": 119, "FileHash-SHA1": 59, "SSLCertFingerprint": 4 }, "indicator_count": 2110, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657080d7cc6525322cdb9052", "name": "Charles-152.199.19.160- from scan various dupont domains- malicious- Oracle Supply Chain or Turning Blind eye", "description": "", "modified": "2023-12-06T14:10:31.519000", "created": "2023-12-06T14:10:31.519000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 537, "hostname": 888, "URL": 1698, "email": 4, "domain": 337, "CVE": 1, "FileHash-MD5": 159, "FileHash-SHA1": 127 }, "indicator_count": 3751, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6431d1244a8ae763a8d5ed74", "name": "http://hm732.com/ - v2 all and sundrie", "description": "", "modified": "2023-05-08T20:02:01.231000", "created": "2023-04-08T20:40:04.099000", "tags": [ "trojan", "chromeua", "dropped file", "optout", "runtime data", "object", "drmedgeua", "unicode", "optin", "edgeua", "span", "error", "win64", "date", "format", "addressbar", "generator", "path", "template", "suspicious", "unknown", "void", "desktop", "dark", "light", "mozilla", "this", "cookie", "meta", "iframe", "window", "legend", "null", "wind", "strings", "qakbot", "http://hm732.com/" ], "references": [ "https://hybrid-analysis.com/sample/bca1a3df6a236ec7870fbae8a5d5c5597347dad17f9b00e49c05ab1eb8e87f83/64319a805d10c703330b366e" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2345, "hostname": 951, "domain": 405, "FileHash-SHA256": 82, "FileHash-MD5": 63, "FileHash-SHA1": 61, "email": 5 }, "indicator_count": 3912, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1077 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ns-18.awsdns-02.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ns-18.awsdns-02.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776703597.0078511 }