{ "type": "URL", "indicator": "https://om.g.n.call/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://om.g.n.call/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3769653061, "indicator": "https://om.g.n.call/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "68732864356c4353e0b1efe2", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:44.589000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "251 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68732869bad70de69c45c1b3", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:49.347000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "251 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6844240c68255798e08beb3b", "name": "Bilety online: Tw\u00f3j kolejowy partner w podr\u00f3\u017cy", "description": "Microsoft has created a new version of its XMLHttpRequest, which allows users to access a website, via a browser or browser without the permission of a third party, using the same address.", "modified": "2025-07-07T00:01:51.704000", "created": "2025-06-07T11:35:40.942000", "tags": [ "sign", "google sign", "forgot email", "criminalip", "create account", "bilety online", "sprzeday biletw", "polregio", "ssdeep", "license", "typeerror", "regexp", "promise", "function", "version", "typeof symbol", "copyright", "google llc", "apache license", "date", "without", "error", "blank", "trident", "generator", "class", "mountain view", "android", "submission", "california", "common name", "google inc", "unit android", "country code", "us state", "sha1", "sha256", "imphash", "pehash", "file type", "vhash", "authentihash" ], "references": [ "http://bilety.polregio.pl", "https://bilety.polregio.pl", "http://www.salesmanago.pl/static/sm.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1295, "hostname": 302, "domain": 137, "FileHash-SHA256": 996, "FileHash-MD5": 38, "FileHash-SHA1": 40, "IPv4": 1 }, "indicator_count": 2809, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67883dacc017d495135696fd", "name": "Pay.gov - Home is an official website of the United States government", "description": "Pay.gov is an official website of the United States government and is a secure, secure way to pay debts, fees and other items, but can you access these via the web or mobile phone?", "modified": "2025-05-14T21:17:13.858000", "created": "2025-01-15T22:58:51.984000", "tags": [ "system", "to privacy", "in this", "this system", "by any", "user", "authorized or", "unauthorized", "consent to", "this monitoring", "interception", "d5d5d5", "c3d9ff", "2px 2px", "e8e8e8", "e4effb", "e7e7e7", "fff url", "textarea", "google sans", "arial", "invalid file", "post", "select", "typeof c", "invalidfilesize", "typeof", "error", "typeof symbol", "button", "array", "date", "typeof t", "span", "arrowdown", "navigate", "element", "click", "null", "backspace", "accept", "insert", "meta", "february", "april", "june", "august", "this", "value", "regexp", "azaz", "100b", "object", "cell", "azaz09", "404not", "09az", "mouse click", "opacity", "helvetica", "foundation", "alpha", "georgia", "cambria", "times new", "roman", "times", "helvetica neue", "roboto", "90deg", "esc" ], "references": [ "https://www.pay.gov/public/home", "24px.svg", "saved_resource.html", "search--white.svg", "close.svg", "icon-dot-gov.svg", "icon-https.svg", "m=el_main_css", "paygov-final.min.js", "uswds.min.js.pobrane", "Universal-Federated-Analytics-Min.js", "jquery-ui.min.css", "paygov.min.css", "uswds-init.min.js" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Esc", "display_name": "Esc", "target": null } ], "attack_ids": [ { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 49, "hostname": 109, "URL": 475, "FileHash-SHA256": 140 }, "indicator_count": 773, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3e0652560b9b323d0e5a0", "name": "validator/site/nu-script.js at main \u00b7 validator/validator \u00b7 GitHub 128.30.52.73", "description": "GitHub is the world's most advanced open source platform, powered by artificial intelligence (AI), and you can now access all your code, repositories, users, issues and other data at any time.", "modified": "2024-12-17T14:35:28.041000", "created": "2024-09-01T03:32:53.350000", "tags": [ "sign", "github", "github copilot", "search", "validator", "code issues", "pull", "wiki security", "skip", "navigation", "write", "star", "footer", "valid", "algorithm", "thumbprint", "serial number", "from", "valid from", "pca issuer", "microsoft root", "signing ca", "microsoft code", "class" ], "references": [ "https://github.com/validator/validator/blob/main/site/nu-script.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 29, "URL": 140, "FileHash-MD5": 21, "email": 1, "FileHash-SHA256": 74, "domain": 17, "hostname": 42, "IPv4": 8, "CVE": 1 }, "indicator_count": 333, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65575839f772f9f944f7af94", "name": "Command and Scripting Interpreter | www.supernetforme.com", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T12:10:33.958000", "tags": [ "ssl certificate", "whois record", "threat roundup", "contacted", "communicating", "referrer", "june", "july", "october", "historical ssl", "malware", "august", "path", "treatas", "hkcuclsid", "document file", "v2 document", "sha256", "ascii text", "size", "type data", "html document", "february", "hybrid", "general", "local", "factory", "click", "strings", "pattern match", "root ca", "authority", "class", "script", "mitre att", "ck id", "show technique", "ck matrix", "date", "error", "unknown", "generator", "critical", "body", "info", "trace", "void", "c2", "trojan", "parked domain", "registrar abuse", "tracking", "deep search", "command_and_control" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "AI Packer", "display_name": "AI Packer", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Banto", "display_name": "Banto", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 368, "FileHash-MD5": 81, "FileHash-SHA1": 76, "FileHash-SHA256": 1015, "URL": 1639, "domain": 329 }, "indicator_count": 3508, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a958f96f9b29641ea020", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:03:20.219000", "created": "2023-12-06T17:03:20.219000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a927b24b94cdd5d344d1", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:02:31.854000", "created": "2023-12-06T17:02:31.854000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653d41d95fceb536fa8b3bae", "name": "https://www.npmjs.com/", "description": "Github critical bounty", "modified": "2023-11-27T19:03:33.482000", "created": "2023-10-28T17:16:09.274000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 902, "domain": 448, "hostname": 378, "FileHash-SHA256": 6821, "FileHash-MD5": 1308, "FileHash-SHA1": 1270, "CVE": 2, "email": 4 }, "indicator_count": 11133, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6535ef14a479ec0ed4c895b4", "name": "Malicious Google - Sign in? https://accounts.google.com/speedbump/changepassword", "description": "Is account part of Botnet. I witnessed; login needs to be reset, logged out [get this 'https://accounts.google.com/speedbump/changepassword' read browser bar when looks suspect, log in to a Google interface, titled Google Account, font is different. Says this device logged in for the first time 10/19/2023. Untrue. Implicated someone had password and Google critical security alert email.\nI haven't had enough time to research. Hostile bruteforce account login.? Complete CNC on Google email accounts.", "modified": "2023-11-22T03:03:38.455000", "created": "2023-10-23T03:57:08.696000", "tags": [ "detection list", "ip address", "blacklist", "united", "cisco umbrella", "site", "alexa top", "safe site", "malicious url", "million", "facebook", "hsbc group", "blacknet rat", "stealer", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "noname057", "name verdict", "falcon sandbox", "date", "markmonitor", "name server", "opera", "edge", "error", "hidden", "windir", "silk", "unknown", "android", "hybrid", "general", "click", "strings", "trident", "class", "critical", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "script", "self", "pragma", "html info", "title sign", "meta tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 208, "FileHash-MD5": 1206, "FileHash-SHA1": 609, "FileHash-SHA256": 564, "domain": 116, "URL": 457 }, "indicator_count": 3160, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "880 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d947db1f44d13bf9982", "name": " Malicious Google - Sign in? https://accounts.google.com/speedbump", "description": "", "modified": "2023-11-22T03:03:38.455000", "created": "2023-10-30T03:05:56.431000", "tags": [ "detection list", "ip address", "blacklist", "united", "cisco umbrella", "site", "alexa top", "safe site", "malicious url", "million", "facebook", "hsbc group", "blacknet rat", "stealer", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "noname057", "name verdict", "falcon sandbox", "date", "markmonitor", "name server", "opera", "edge", "error", "hidden", "windir", "silk", "unknown", "android", "hybrid", "general", "click", "strings", "trident", "class", "critical", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "script", "self", "pragma", "html info", "title sign", "meta tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6535ef14a479ec0ed4c895b4", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 208, "FileHash-MD5": 1206, "FileHash-SHA1": 609, "FileHash-SHA256": 564, "domain": 116, "URL": 457 }, "indicator_count": 3160, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "880 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a50c4487060d52346fd", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:54:55.973000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652b2a8048e6a285461c4a5d", "name": "Fitbit app link IoC's", "description": "Critical. Fitbit download link found in Google search results.\n[https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile]\n\nBlackNET is a Remote Access Trojan (RAT) - Advanced Windows Botnet.\nCapabilities: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. \n\nOpenCandy , PUP\nCapabilities: Browser home page hijacker, installs unwanted toolbars, plug-ins, and extensions to web browsers, collects information, user\u2019s surfing habits, distribution to third parties without user consent.\n\nProcess Injection: Privilege escalation adversaries use to inject arbitrary code.", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-14T23:55:42.972000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f147a7e55dd916fe9e3e2", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-11-13T22:04:06.580000", "created": "2023-10-30T02:27:06.140000", "tags": [ "ssl certificate", "contacted", "contacted urls", "referrer", "march", "historical ssl", "whois sslcert", "suspicious", "execution", "malware", "core", "name verdict", "falco", "pattern match", "ascii text", "file", "png image", "sdcwhb", "windows nt", "jpeg image", "jfif", "appdata", "kg2exe", "date", "unknown", "general", "hybrid", "this", "click", "strings", "class", "critical", "error", "zfaoz", "falcon sandbox", "exit", "node tcp", "traffic", "et tor", "known tor", "relayrouter", "tor known", "tor relayrouter", "detection list", "ip address", "cisco umbrella", "heur", "site", "safe site", "alexa top", "million", "maltiverse", "malicious url", "malicious site", "unsafe", "riskware", "swrort", "downldr", "artemis", "team", "phishing", "iframe", "crack", "xrat", "installcore", "facebook", "bank", "opencandy", "nircmd", "exploit", "filetour", "cleaner", "wacatac", "win64", "unruy", "blacknet rat", "stealer", "azorult", "service", "runescape", "download", "tiggre", "presenoker", "conduit", "xtrat", "agent", "patcher", "adload", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "adposhel", "union", "trojanspy", "webtoolbar", "blacklist https", "blacklist", "command_and_control", "Fitbit", "hidden tear", "google", "spyware", "potentially unwanted progams", "network", "bundlers", "aware" ], "references": [ "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZfAoz", "display_name": "ZfAoz", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WisdomEyes.16070401.9500", "display_name": "WisdomEyes.16070401.9500", "target": null }, { "id": "Wacatac", "display_name": "Wacatac", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "652b2a8048e6a285461c4a5d", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1052, "FileHash-MD5": 173, "FileHash-SHA1": 168, "FileHash-SHA256": 3730, "URL": 2806, "domain": 446, "CVE": 17, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "saved_resource.html", "paygov-final.min.js", "paygov.min.css", "close.svg", "https://www.pay.gov/public/home", "http://bilety.polregio.pl", "https://bilety.polregio.pl", "https://play.google.com/store/apps/details?id=com.fitbit.FitbitMobile", "https://www.hybrid-analysis.com/sample/1e5fe7747a445f340ed8db6bd946b6fb2cf2db123b08c3ac818cb8a1c2ae28d0", "jquery-ui.min.css", "icon-dot-gov.svg", "uswds.min.js.pobrane", "Universal-Federated-Analytics-Min.js", "24px.svg", "icon-https.svg", "http://www.salesmanago.pl/static/sm.js", "search--white.svg", "https://github.com/validator/validator/blob/main/site/nu-script.js", "uswds-init.min.js", "m=el_main_css" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Esc", "Trojan", "Trojanspy", "Wisdomeyes.16070401.9500", "Blacknet rat", "Matrix", "Ai packer", "Unruy", "Mediamagnet", "Wacatac", "Webtoolbar", "Zfaoz", "Maltiverse", "Banto", "Trojan:win32/tiggre" ], "industries": [], "unique_indicators": 63500 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/n.call", "whois": "http://whois.domaintools.com/n.call", "domain": "n.call", "hostname": "om.g.n.call" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "68732864356c4353e0b1efe2", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:44.589000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "251 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68732869bad70de69c45c1b3", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:49.347000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "251 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6844240c68255798e08beb3b", "name": "Bilety online: Tw\u00f3j kolejowy partner w podr\u00f3\u017cy", "description": "Microsoft has created a new version of its XMLHttpRequest, which allows users to access a website, via a browser or browser without the permission of a third party, using the same address.", "modified": "2025-07-07T00:01:51.704000", "created": "2025-06-07T11:35:40.942000", "tags": [ "sign", "google sign", "forgot email", "criminalip", "create account", "bilety online", "sprzeday biletw", "polregio", "ssdeep", "license", "typeerror", "regexp", "promise", "function", "version", "typeof symbol", "copyright", "google llc", "apache license", "date", "without", "error", "blank", "trident", "generator", "class", "mountain view", "android", "submission", "california", "common name", "google inc", "unit android", "country code", "us state", "sha1", "sha256", "imphash", "pehash", "file type", "vhash", "authentihash" ], "references": [ "http://bilety.polregio.pl", "https://bilety.polregio.pl", "http://www.salesmanago.pl/static/sm.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1295, "hostname": 302, "domain": 137, "FileHash-SHA256": 996, "FileHash-MD5": 38, "FileHash-SHA1": 40, "IPv4": 1 }, "indicator_count": 2809, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67883dacc017d495135696fd", "name": "Pay.gov - Home is an official website of the United States government", "description": "Pay.gov is an official website of the United States government and is a secure, secure way to pay debts, fees and other items, but can you access these via the web or mobile phone?", "modified": "2025-05-14T21:17:13.858000", "created": "2025-01-15T22:58:51.984000", "tags": [ "system", "to privacy", "in this", "this system", "by any", "user", "authorized or", "unauthorized", "consent to", "this monitoring", "interception", "d5d5d5", "c3d9ff", "2px 2px", "e8e8e8", "e4effb", "e7e7e7", "fff url", "textarea", "google sans", "arial", "invalid file", "post", "select", "typeof c", "invalidfilesize", "typeof", "error", "typeof symbol", "button", "array", "date", "typeof t", "span", "arrowdown", "navigate", "element", "click", "null", "backspace", "accept", "insert", "meta", "february", "april", "june", "august", "this", "value", "regexp", "azaz", "100b", "object", "cell", "azaz09", "404not", "09az", "mouse click", "opacity", "helvetica", "foundation", "alpha", "georgia", "cambria", "times new", "roman", "times", "helvetica neue", "roboto", "90deg", "esc" ], "references": [ "https://www.pay.gov/public/home", "24px.svg", "saved_resource.html", "search--white.svg", "close.svg", "icon-dot-gov.svg", "icon-https.svg", "m=el_main_css", "paygov-final.min.js", "uswds.min.js.pobrane", "Universal-Federated-Analytics-Min.js", "jquery-ui.min.css", "paygov.min.css", "uswds-init.min.js" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Esc", "display_name": "Esc", "target": null } ], "attack_ids": [ { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 49, "hostname": 109, "URL": 475, "FileHash-SHA256": 140 }, "indicator_count": 773, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3e0652560b9b323d0e5a0", "name": "validator/site/nu-script.js at main \u00b7 validator/validator \u00b7 GitHub 128.30.52.73", "description": "GitHub is the world's most advanced open source platform, powered by artificial intelligence (AI), and you can now access all your code, repositories, users, issues and other data at any time.", "modified": "2024-12-17T14:35:28.041000", "created": "2024-09-01T03:32:53.350000", "tags": [ "sign", "github", "github copilot", "search", "validator", "code issues", "pull", "wiki security", "skip", "navigation", "write", "star", "footer", "valid", "algorithm", "thumbprint", "serial number", "from", "valid from", "pca issuer", "microsoft root", "signing ca", "microsoft code", "class" ], "references": [ "https://github.com/validator/validator/blob/main/site/nu-script.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 29, "URL": 140, "FileHash-MD5": 21, "email": 1, "FileHash-SHA256": 74, "domain": 17, "hostname": 42, "IPv4": 8, "CVE": 1 }, "indicator_count": 333, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65575839f772f9f944f7af94", "name": "Command and Scripting Interpreter | www.supernetforme.com", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T12:10:33.958000", "tags": [ "ssl certificate", "whois record", "threat roundup", "contacted", "communicating", "referrer", "june", "july", "october", "historical ssl", "malware", "august", "path", "treatas", "hkcuclsid", "document file", "v2 document", "sha256", "ascii text", "size", "type data", "html document", "february", "hybrid", "general", "local", "factory", "click", "strings", "pattern match", "root ca", "authority", "class", "script", "mitre att", "ck id", "show technique", "ck matrix", "date", "error", "unknown", "generator", "critical", "body", "info", "trace", "void", "c2", "trojan", "parked domain", "registrar abuse", "tracking", "deep search", "command_and_control" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "AI Packer", "display_name": "AI Packer", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Banto", "display_name": "Banto", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 368, "FileHash-MD5": 81, "FileHash-SHA1": 76, "FileHash-SHA256": 1015, "URL": 1639, "domain": 329 }, "indicator_count": 3508, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a958f96f9b29641ea020", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:03:20.219000", "created": "2023-12-06T17:03:20.219000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a927b24b94cdd5d344d1", "name": "Fitbit app link IoC's", "description": "", "modified": "2023-12-06T17:02:31.854000", "created": "2023-12-06T17:02:31.854000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 17, "FileHash-SHA256": 3730, "hostname": 1052, "domain": 446, "URL": 2806, "FileHash-MD5": 173, "FileHash-SHA1": 168, "email": 1 }, "indicator_count": 8393, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653d41d95fceb536fa8b3bae", "name": "https://www.npmjs.com/", "description": "Github critical bounty", "modified": "2023-11-27T19:03:33.482000", "created": "2023-10-28T17:16:09.274000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 902, "domain": 448, "hostname": 378, "FileHash-SHA256": 6821, "FileHash-MD5": 1308, "FileHash-SHA1": 1270, "CVE": 2, "email": 4 }, "indicator_count": 11133, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://om.g.n.call/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://om.g.n.call/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776699788.6527593 }