{
"type": "URL",
"indicator": "https://pb.pbentrypoint.net",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://pb.pbentrypoint.net",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3230074986,
"indicator": "https://pb.pbentrypoint.net",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 4,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893eee9bf1b30e08d1a6d8e",
"name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood",
"description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.",
"modified": "2025-09-05T23:02:52.811000",
"created": "2025-08-07T00:10:17.696000",
"tags": [
"address google",
"safe browsing",
"united",
"typeof",
"passive dns",
"body doctype",
"nreum",
"date",
"gmt server",
"apache x",
"cnection",
"content type",
"span",
"ok transfer",
"encoding",
"x powered",
"unknown soa",
"unknown ns",
"showing",
"entries",
"next associated",
"urls show",
"body",
"encrypt",
"search",
"ip address",
"creation date",
"record value",
"present jul",
"present may",
"present apr",
"certificate",
"present aug",
"present feb",
"present dec",
"present nov",
"error",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"pattern match",
"ascii text",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"itre att",
"accept",
"sha256",
"size",
"type data",
"utf8 text",
"document file",
"flag",
"server",
"european union",
"name server",
"tor analysis",
"dns requests",
"domain address",
"ii llc",
"windir",
"openurl c",
"prefetch2",
"show process",
"ogoogle trust",
"network traffic",
"organization",
"elton avundano",
"object",
"title object",
"header http2",
"returnurl",
"texas",
"rsa ov",
"ssl ca",
"status",
"australia",
"netherlands",
"urls",
"gmt path",
"hostname add",
"pulse submit",
"present oct",
"e safe",
"results jul",
"response ip",
"present jan",
"name servers",
"verdict",
"domain",
"files ip",
"address domain",
"xhr start",
"xhr load",
"aaaa",
"read c",
"show",
"port",
"destination",
"high",
"delete",
"outbound m3",
"copy",
"write",
"persistence",
"execution",
"malware",
"generic",
"unknown",
"present mar",
"dynamicloader",
"wine emulator",
"dynamic",
"medium",
"read",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"dnssec",
"domain name",
"solutions",
"llc status",
"next passive",
"dns status",
"hostname query",
"files show",
"date hash",
"avast avg",
"overview ip",
"address",
"related nids",
"files location",
"flag united",
"hostname",
"files domain",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"virtool",
"win64",
"defense evasion",
"t1480 execution",
"file defense",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"file discovery",
"utf8",
"crlf line",
"a domains",
"script urls",
"link",
"unknown aaaa",
"meta",
"atom",
"results jan",
"present",
"present sep",
"akamai",
"asn as16625",
"less whois",
"registrar",
"http",
"france flag",
"france hostname",
"files related",
"url analysis",
"files",
"location france",
"detailed error",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"moved",
"name",
"perfect privacy",
"error jul",
"next related",
"domains show",
"domain related",
"url add",
"pulse pulses",
"hosting",
"reverse dns",
"france asn",
"as16276",
"dns resolutions",
"datacenter",
"regopenkeyexa",
"regsetvalueexa",
"windows nt",
"regdword",
"hostile",
"service",
"delphi",
"next",
"pulses none",
"related tags",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"review",
"data upload",
"extraction",
"khtml",
"gecko",
"olet",
"cnlet",
"tlsv1",
"hacktool",
"push",
"ms windows",
"intel",
"pe32",
"users",
"precreate read",
"ransom",
"code",
"installer",
"june",
"media",
"autorun",
"next yara",
"detections name",
"aspackv2xxx",
"eu alexey",
"alerts",
"pe file",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"april",
"packing t1045",
"t1045",
"t1060",
"registry run",
"keys",
"user execution",
"icmp traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"URL": 6245,
"hostname": 2264,
"FileHash-SHA256": 1857,
"FileHash-SHA1": 491,
"email": 9,
"FileHash-MD5": 573,
"SSLCertFingerprint": 16
},
"indicator_count": 12587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "267 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "665bb7679843a6dabe4560e3",
"name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?",
"description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.",
"modified": "2024-09-05T06:11:17.325000",
"created": "2024-06-02T00:05:59.160000",
"tags": [
"strong",
"story contact",
"us leadership",
"open menu",
"close menu",
"digital",
"thank",
"us zoom",
"skip",
"content home",
"enterprise",
"contact",
"threat roundup",
"august",
"historical ssl",
"april",
"referrer",
"formbook",
"ip check",
"vt graph",
"relacionada",
"cobalt strike",
"hiddentear",
"life",
"malware",
"open",
"mumblehard",
"sparkrat",
"attack",
"uszoom og",
"submission",
"analysis",
"utc http",
"response final",
"url https",
"ip address",
"status code",
"body length",
"kb body",
"graph api",
"status",
"content type",
"date",
"anchor hrefs",
"hrefs",
"cart contact",
"leadership",
"html info",
"title uszoom",
"meta tags",
"uszoom twitter",
"script tags",
"vhash htm",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"magika cttxt",
"file size",
"united",
"as20940",
"aaaa",
"canada",
"search",
"showing",
"cname",
"as35994 akamai",
"passive dns",
"next",
"as21928",
"unknown",
"urls",
"domain",
"creation date",
"emails",
"ipcounsel",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"files",
"invalid url",
"body",
"name servers",
"akamai",
"expiration date",
"asnone united",
"a nxdomain",
"india",
"as15224 adobe",
"bdclid",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"yara rule",
"high",
"explorer",
"alerts",
"less see",
"contacted",
"service",
"attempts",
"guard",
"url http",
"pulse pulses",
"http",
"related nids",
"files location",
"ip related",
"hostname",
"files ip",
"address domain",
"as46606",
"td td",
"script script",
"gmt path",
"create",
"website",
"set cookie",
"a td",
"win32",
"flash",
"pragma",
"cookie",
"xmpmm",
"png image",
"rgba",
"documentid",
"instanceid",
"creatortool",
"pattern match",
"adobe photoshop",
"macintosh",
"june",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"anomalous_deletefile",
"info_stealer",
"et trojan",
"banload http",
"banload",
"ids detections",
"yara detections",
"bancos variant",
"c2 checkin",
"ntkrnlpacker",
"copy",
"meredrop",
"injection",
"e0e2edee",
"push",
"read",
"write",
"delete",
"entries",
"crlf line",
"anomalous file",
"medium",
"filehash",
"av detections",
"analysis date",
"file score",
"medium risk",
"detections none",
"related pulses",
"apple",
"apple id",
"apple private data collection",
"apple staging",
"t-mobile",
"metroby",
"keylogger"
],
"references": [
"https://uszoom.com/",
"http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm",
"Malicious Score: 10",
"Yara Detections: DotNET_Reactor",
"Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint",
"Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect",
"Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content",
"Alerts: dropper injection_rwx network_dns_doh_tls network_http",
"DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography",
"DotNET_Reactor: System.Security.Cryptography ICryptoTransform",
"High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1",
"High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies",
"Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam",
"https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317",
"https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec",
"Yara Detections stack_string , Armadillov1xxv2xx",
"https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35",
"apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Keylogger.Susppack-9876601-0",
"display_name": "Win.Keylogger.Susppack-9876601-0",
"target": null
},
{
"id": "Win.Trojan.Sdum-9807706-0",
"display_name": "Win.Trojan.Sdum-9807706-0",
"target": null
},
{
"id": "Win32.Meredrop Checkin",
"display_name": "Win32.Meredrop Checkin",
"target": null
},
{
"id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"target": null
},
{
"id": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1048.002",
"name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1102.002",
"name": "Bidirectional Communication",
"display_name": "T1102.002 - Bidirectional Communication"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1434",
"name": "App Delivered via Email Attachment",
"display_name": "T1434 - App Delivered via Email Attachment"
}
],
"industries": [
"Technology",
"Telecommunications",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"email": 8,
"FileHash-MD5": 167,
"FileHash-SHA1": 129,
"FileHash-SHA256": 2008,
"URL": 11241,
"domain": 1853,
"hostname": 4198,
"SSLCertFingerprint": 10,
"CVE": 1
},
"indicator_count": 19615,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "633 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6681f6738d3aa876f83738d0",
"name": "USZoom [New York , USA] | iPostal1",
"description": "",
"modified": "2024-07-01T23:00:42.052000",
"created": "2024-07-01T00:21:07.491000",
"tags": [
"strong",
"story contact",
"us leadership",
"open menu",
"close menu",
"digital",
"thank",
"us zoom",
"skip",
"content home",
"enterprise",
"contact",
"threat roundup",
"august",
"historical ssl",
"april",
"referrer",
"formbook",
"ip check",
"vt graph",
"relacionada",
"cobalt strike",
"hiddentear",
"life",
"malware",
"open",
"mumblehard",
"sparkrat",
"attack",
"uszoom og",
"submission",
"analysis",
"utc http",
"response final",
"url https",
"ip address",
"status code",
"body length",
"kb body",
"graph api",
"status",
"content type",
"date",
"anchor hrefs",
"hrefs",
"cart contact",
"leadership",
"html info",
"title uszoom",
"meta tags",
"uszoom twitter",
"script tags",
"vhash htm",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"magika cttxt",
"file size",
"united",
"as20940",
"aaaa",
"canada",
"search",
"showing",
"cname",
"as35994 akamai",
"passive dns",
"next",
"as21928",
"unknown",
"urls",
"domain",
"creation date",
"emails",
"ipcounsel",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"files",
"invalid url",
"body",
"name servers",
"akamai",
"expiration date",
"asnone united",
"a nxdomain",
"india",
"as15224 adobe",
"bdclid",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"yara rule",
"high",
"explorer",
"alerts",
"less see",
"contacted",
"service",
"attempts",
"guard",
"url http",
"pulse pulses",
"http",
"related nids",
"files location",
"ip related",
"hostname",
"files ip",
"address domain",
"as46606",
"td td",
"script script",
"gmt path",
"create",
"website",
"set cookie",
"a td",
"win32",
"flash",
"pragma",
"cookie",
"xmpmm",
"png image",
"rgba",
"documentid",
"instanceid",
"creatortool",
"pattern match",
"adobe photoshop",
"macintosh",
"june",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"anomalous_deletefile",
"info_stealer",
"et trojan",
"banload http",
"banload",
"ids detections",
"yara detections",
"bancos variant",
"c2 checkin",
"ntkrnlpacker",
"copy",
"meredrop",
"injection",
"e0e2edee",
"push",
"read",
"write",
"delete",
"entries",
"crlf line",
"anomalous file",
"medium",
"filehash",
"av detections",
"analysis date",
"file score",
"medium risk",
"detections none",
"related pulses",
"apple",
"apple id",
"apple private data collection",
"apple staging",
"t-mobile",
"metroby",
"keylogger"
],
"references": [
"https://uszoom.com/",
"http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm",
"Malicious Score: 10",
"Yara Detections: DotNET_Reactor",
"Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint",
"Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect",
"Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content",
"Alerts: dropper injection_rwx network_dns_doh_tls network_http",
"DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography",
"DotNET_Reactor: System.Security.Cryptography ICryptoTransform",
"High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1",
"High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies",
"Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam",
"https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317",
"https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec",
"Yara Detections stack_string , Armadillov1xxv2xx",
"https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35",
"apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Keylogger.Susppack-9876601-0",
"display_name": "Win.Keylogger.Susppack-9876601-0",
"target": null
},
{
"id": "Win.Trojan.Sdum-9807706-0",
"display_name": "Win.Trojan.Sdum-9807706-0",
"target": null
},
{
"id": "Win32.Meredrop Checkin",
"display_name": "Win32.Meredrop Checkin",
"target": null
},
{
"id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"target": null
},
{
"id": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1048.002",
"name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1102.002",
"name": "Bidirectional Communication",
"display_name": "T1102.002 - Bidirectional Communication"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1434",
"name": "App Delivered via Email Attachment",
"display_name": "T1434 - App Delivered via Email Attachment"
}
],
"industries": [
"Technology",
"Telecommunications",
"Civil Society"
],
"TLP": "green",
"cloned_from": "665bb7679843a6dabe4560e3",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"email": 8,
"FileHash-MD5": 167,
"FileHash-SHA1": 129,
"FileHash-SHA256": 1890,
"URL": 10360,
"domain": 1799,
"hostname": 3994,
"SSLCertFingerprint": 10,
"CVE": 1
},
"indicator_count": 18358,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "698 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317",
"Alerts: dropper injection_rwx network_dns_doh_tls network_http",
"High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1",
"Yara Detections stack_string , Armadillov1xxv2xx",
"Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint",
"https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35",
"Yara Detections: DotNET_Reactor",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography",
"https://uszoom.com/",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |",
"Malicious Score: 10",
"Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect",
"https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"div>
",
"Same legal , and quasi governmental pattern identified",
"http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm",
"It appears there are 5-7 known affected that I was able to find",
"DotNET_Reactor: System.Security.Cryptography ICryptoTransform",
"Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content",
"High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies",
"Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"I apologize for the lack of reference."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Pdf.phishing.ttraffrobotinstall-7605656-0",
"Trojan:win32/smkldr.h!mtb",
"#lowfi:lua:dllsuspiciousexport.a",
"Win32.meredrop checkin",
"Win.trojan.sdum-9807706-0",
"Icedid",
"Win.keylogger.susppack-9876601-0",
"#lowfi:hstr:trojanspy:win32/bancos",
"Mydoom"
],
"industries": [
"Telecom",
"Legal",
"Technology",
"Telecommunications",
"Civil society"
],
"unique_indicators": 44654
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/pbentrypoint.net",
"whois": "http://whois.domaintools.com/pbentrypoint.net",
"domain": "pbentrypoint.net",
"hostname": "pb.pbentrypoint.net"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 4,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893eee9bf1b30e08d1a6d8e",
"name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood",
"description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.",
"modified": "2025-09-05T23:02:52.811000",
"created": "2025-08-07T00:10:17.696000",
"tags": [
"address google",
"safe browsing",
"united",
"typeof",
"passive dns",
"body doctype",
"nreum",
"date",
"gmt server",
"apache x",
"cnection",
"content type",
"span",
"ok transfer",
"encoding",
"x powered",
"unknown soa",
"unknown ns",
"showing",
"entries",
"next associated",
"urls show",
"body",
"encrypt",
"search",
"ip address",
"creation date",
"record value",
"present jul",
"present may",
"present apr",
"certificate",
"present aug",
"present feb",
"present dec",
"present nov",
"error",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"development att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"mitre att",
"show technique",
"ck matrix",
"pattern match",
"ascii text",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"itre att",
"accept",
"sha256",
"size",
"type data",
"utf8 text",
"document file",
"flag",
"server",
"european union",
"name server",
"tor analysis",
"dns requests",
"domain address",
"ii llc",
"windir",
"openurl c",
"prefetch2",
"show process",
"ogoogle trust",
"network traffic",
"organization",
"elton avundano",
"object",
"title object",
"header http2",
"returnurl",
"texas",
"rsa ov",
"ssl ca",
"status",
"australia",
"netherlands",
"urls",
"gmt path",
"hostname add",
"pulse submit",
"present oct",
"e safe",
"results jul",
"response ip",
"present jan",
"name servers",
"verdict",
"domain",
"files ip",
"address domain",
"xhr start",
"xhr load",
"aaaa",
"read c",
"show",
"port",
"destination",
"high",
"delete",
"outbound m3",
"copy",
"write",
"persistence",
"execution",
"malware",
"generic",
"unknown",
"present mar",
"dynamicloader",
"wine emulator",
"dynamic",
"medium",
"read",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"dnssec",
"domain name",
"solutions",
"llc status",
"next passive",
"dns status",
"hostname query",
"files show",
"date hash",
"avast avg",
"overview ip",
"address",
"related nids",
"files location",
"flag united",
"hostname",
"files domain",
"win32",
"mtb feb",
"trojan",
"susp",
"trojandropper",
"msr feb",
"trojanspy",
"virtool",
"win64",
"defense evasion",
"t1480 execution",
"file defense",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"file discovery",
"utf8",
"crlf line",
"a domains",
"script urls",
"link",
"unknown aaaa",
"meta",
"atom",
"results jan",
"present",
"present sep",
"akamai",
"asn as16625",
"less whois",
"registrar",
"http",
"france flag",
"france hostname",
"files related",
"url analysis",
"files",
"location france",
"detailed error",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"moved",
"name",
"perfect privacy",
"error jul",
"next related",
"domains show",
"domain related",
"url add",
"pulse pulses",
"hosting",
"reverse dns",
"france asn",
"as16276",
"dns resolutions",
"datacenter",
"regopenkeyexa",
"regsetvalueexa",
"windows nt",
"regdword",
"hostile",
"service",
"delphi",
"next",
"pulses none",
"related tags",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"review",
"data upload",
"extraction",
"khtml",
"gecko",
"olet",
"cnlet",
"tlsv1",
"hacktool",
"push",
"ms windows",
"intel",
"pe32",
"users",
"precreate read",
"ransom",
"code",
"installer",
"june",
"media",
"autorun",
"next yara",
"detections name",
"aspackv2xxx",
"eu alexey",
"alerts",
"pe file",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"april",
"packing t1045",
"t1045",
"t1060",
"registry run",
"keys",
"user execution",
"icmp traffic"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"URL": 6245,
"hostname": 2264,
"FileHash-SHA256": 1857,
"FileHash-SHA1": 491,
"email": 9,
"FileHash-MD5": 573,
"SSLCertFingerprint": 16
},
"indicator_count": 12587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "267 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "665bb7679843a6dabe4560e3",
"name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?",
"description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.",
"modified": "2024-09-05T06:11:17.325000",
"created": "2024-06-02T00:05:59.160000",
"tags": [
"strong",
"story contact",
"us leadership",
"open menu",
"close menu",
"digital",
"thank",
"us zoom",
"skip",
"content home",
"enterprise",
"contact",
"threat roundup",
"august",
"historical ssl",
"april",
"referrer",
"formbook",
"ip check",
"vt graph",
"relacionada",
"cobalt strike",
"hiddentear",
"life",
"malware",
"open",
"mumblehard",
"sparkrat",
"attack",
"uszoom og",
"submission",
"analysis",
"utc http",
"response final",
"url https",
"ip address",
"status code",
"body length",
"kb body",
"graph api",
"status",
"content type",
"date",
"anchor hrefs",
"hrefs",
"cart contact",
"leadership",
"html info",
"title uszoom",
"meta tags",
"uszoom twitter",
"script tags",
"vhash htm",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"magika cttxt",
"file size",
"united",
"as20940",
"aaaa",
"canada",
"search",
"showing",
"cname",
"as35994 akamai",
"passive dns",
"next",
"as21928",
"unknown",
"urls",
"domain",
"creation date",
"emails",
"ipcounsel",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"files",
"invalid url",
"body",
"name servers",
"akamai",
"expiration date",
"asnone united",
"a nxdomain",
"india",
"as15224 adobe",
"bdclid",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"yara rule",
"high",
"explorer",
"alerts",
"less see",
"contacted",
"service",
"attempts",
"guard",
"url http",
"pulse pulses",
"http",
"related nids",
"files location",
"ip related",
"hostname",
"files ip",
"address domain",
"as46606",
"td td",
"script script",
"gmt path",
"create",
"website",
"set cookie",
"a td",
"win32",
"flash",
"pragma",
"cookie",
"xmpmm",
"png image",
"rgba",
"documentid",
"instanceid",
"creatortool",
"pattern match",
"adobe photoshop",
"macintosh",
"june",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"anomalous_deletefile",
"info_stealer",
"et trojan",
"banload http",
"banload",
"ids detections",
"yara detections",
"bancos variant",
"c2 checkin",
"ntkrnlpacker",
"copy",
"meredrop",
"injection",
"e0e2edee",
"push",
"read",
"write",
"delete",
"entries",
"crlf line",
"anomalous file",
"medium",
"filehash",
"av detections",
"analysis date",
"file score",
"medium risk",
"detections none",
"related pulses",
"apple",
"apple id",
"apple private data collection",
"apple staging",
"t-mobile",
"metroby",
"keylogger"
],
"references": [
"https://uszoom.com/",
"http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm",
"Malicious Score: 10",
"Yara Detections: DotNET_Reactor",
"Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint",
"Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect",
"Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content",
"Alerts: dropper injection_rwx network_dns_doh_tls network_http",
"DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography",
"DotNET_Reactor: System.Security.Cryptography ICryptoTransform",
"High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1",
"High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies",
"Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam",
"https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317",
"https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec",
"Yara Detections stack_string , Armadillov1xxv2xx",
"https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35",
"apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Keylogger.Susppack-9876601-0",
"display_name": "Win.Keylogger.Susppack-9876601-0",
"target": null
},
{
"id": "Win.Trojan.Sdum-9807706-0",
"display_name": "Win.Trojan.Sdum-9807706-0",
"target": null
},
{
"id": "Win32.Meredrop Checkin",
"display_name": "Win32.Meredrop Checkin",
"target": null
},
{
"id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"target": null
},
{
"id": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1048.002",
"name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1102.002",
"name": "Bidirectional Communication",
"display_name": "T1102.002 - Bidirectional Communication"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1434",
"name": "App Delivered via Email Attachment",
"display_name": "T1434 - App Delivered via Email Attachment"
}
],
"industries": [
"Technology",
"Telecommunications",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"email": 8,
"FileHash-MD5": 167,
"FileHash-SHA1": 129,
"FileHash-SHA256": 2008,
"URL": 11241,
"domain": 1853,
"hostname": 4198,
"SSLCertFingerprint": 10,
"CVE": 1
},
"indicator_count": 19615,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "633 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6681f6738d3aa876f83738d0",
"name": "USZoom [New York , USA] | iPostal1",
"description": "",
"modified": "2024-07-01T23:00:42.052000",
"created": "2024-07-01T00:21:07.491000",
"tags": [
"strong",
"story contact",
"us leadership",
"open menu",
"close menu",
"digital",
"thank",
"us zoom",
"skip",
"content home",
"enterprise",
"contact",
"threat roundup",
"august",
"historical ssl",
"april",
"referrer",
"formbook",
"ip check",
"vt graph",
"relacionada",
"cobalt strike",
"hiddentear",
"life",
"malware",
"open",
"mumblehard",
"sparkrat",
"attack",
"uszoom og",
"submission",
"analysis",
"utc http",
"response final",
"url https",
"ip address",
"status code",
"body length",
"kb body",
"graph api",
"status",
"content type",
"date",
"anchor hrefs",
"hrefs",
"cart contact",
"leadership",
"html info",
"title uszoom",
"meta tags",
"uszoom twitter",
"script tags",
"vhash htm",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"magika cttxt",
"file size",
"united",
"as20940",
"aaaa",
"canada",
"search",
"showing",
"cname",
"as35994 akamai",
"passive dns",
"next",
"as21928",
"unknown",
"urls",
"domain",
"creation date",
"emails",
"ipcounsel",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"files",
"invalid url",
"body",
"name servers",
"akamai",
"expiration date",
"asnone united",
"a nxdomain",
"india",
"as15224 adobe",
"bdclid",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"yara rule",
"high",
"explorer",
"alerts",
"less see",
"contacted",
"service",
"attempts",
"guard",
"url http",
"pulse pulses",
"http",
"related nids",
"files location",
"ip related",
"hostname",
"files ip",
"address domain",
"as46606",
"td td",
"script script",
"gmt path",
"create",
"website",
"set cookie",
"a td",
"win32",
"flash",
"pragma",
"cookie",
"xmpmm",
"png image",
"rgba",
"documentid",
"instanceid",
"creatortool",
"pattern match",
"adobe photoshop",
"macintosh",
"june",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"anomalous_deletefile",
"info_stealer",
"et trojan",
"banload http",
"banload",
"ids detections",
"yara detections",
"bancos variant",
"c2 checkin",
"ntkrnlpacker",
"copy",
"meredrop",
"injection",
"e0e2edee",
"push",
"read",
"write",
"delete",
"entries",
"crlf line",
"anomalous file",
"medium",
"filehash",
"av detections",
"analysis date",
"file score",
"medium risk",
"detections none",
"related pulses",
"apple",
"apple id",
"apple private data collection",
"apple staging",
"t-mobile",
"metroby",
"keylogger"
],
"references": [
"https://uszoom.com/",
"http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm",
"Malicious Score: 10",
"Yara Detections: DotNET_Reactor",
"Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint",
"Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect",
"Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content",
"Alerts: dropper injection_rwx network_dns_doh_tls network_http",
"DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography",
"DotNET_Reactor: System.Security.Cryptography ICryptoTransform",
"High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1",
"High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies",
"Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam",
"https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317",
"https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec",
"Yara Detections stack_string , Armadillov1xxv2xx",
"https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35",
"apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Keylogger.Susppack-9876601-0",
"display_name": "Win.Keylogger.Susppack-9876601-0",
"target": null
},
{
"id": "Win.Trojan.Sdum-9807706-0",
"display_name": "Win.Trojan.Sdum-9807706-0",
"target": null
},
{
"id": "Win32.Meredrop Checkin",
"display_name": "Win32.Meredrop Checkin",
"target": null
},
{
"id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos",
"target": null
},
{
"id": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1048.002",
"name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1102.002",
"name": "Bidirectional Communication",
"display_name": "T1102.002 - Bidirectional Communication"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1198",
"name": "SIP and Trust Provider Hijacking",
"display_name": "T1198 - SIP and Trust Provider Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1434",
"name": "App Delivered via Email Attachment",
"display_name": "T1434 - App Delivered via Email Attachment"
}
],
"industries": [
"Technology",
"Telecommunications",
"Civil Society"
],
"TLP": "green",
"cloned_from": "665bb7679843a6dabe4560e3",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"email": 8,
"FileHash-MD5": 167,
"FileHash-SHA1": 129,
"FileHash-SHA256": 1890,
"URL": 10360,
"domain": 1799,
"hostname": 3994,
"SSLCertFingerprint": 10,
"CVE": 1
},
"indicator_count": 18358,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "698 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://pb.pbentrypoint.net",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://pb.pbentrypoint.net",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780242710.1731207
}