{ "type": "URL", "indicator": "https://prepay.tesco-mobile.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://prepay.tesco-mobile.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3757387580, "indicator": "https://prepay.tesco-mobile.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "69e1d9cd805ecfc463bed935", "name": "BlackNet RAT clone credit octoseek", "description": "", "modified": "2026-04-18T00:51:09.427000", "created": "2026-04-17T06:57:17.378000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 781, "FileHash-SHA256": 3085, "domain": 528, "URL": 3130, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8508, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6738d3aa876f83738d0", "name": "USZoom [New York , USA] | iPostal1", "description": "", "modified": "2024-07-01T23:00:42.052000", "created": "2024-07-01T00:21:07.491000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": "665bb7679843a6dabe4560e3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 1890, "URL": 10360, "domain": 1799, "hostname": 3994, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 18358, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "657 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a8720daa2d0263a2b1de88", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "Already deeply compromised individuals more at risk of elaborate phone call interception/redirect/transfer from legitimate services. Many different schemes are used to access and nullify victims identity, involves ssn#, bank account information, email exchange text messaging, PDF exchange, Spam sent to all known accounts, password reset, request for ID upload to verify (steal) identity, extensive holds while trying to 'help' you, unannounced credit check ID theft. Ransomware, Linux attack, Botnetwork behavior. Active threat. Linux/Mumblehard backdoor/botnet", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-18T00:34:21.136000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab9d7a0b4116f622b0aa0", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-19T18:05:11.592000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": "65a8720daa2d0263a2b1de88", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5cb329096398f3411f4", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-12-06T16:48:11.311000", "created": "2023-12-06T16:48:11.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5ba6d66424b1992092e", "name": "BlackNet RAT", "description": "", "modified": "2023-12-06T16:47:54.897000", "created": "2023-12-06T16:47:54.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5b2ff4216fe9cd82624", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-12-06T16:47:46.826000", "created": "2023-12-06T16:47:46.826000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c39523aa8a52fdb1fa1", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:38:33.405000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c66e0b02a6dde4a8b7a", "name": "BlackNet RAT", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:18.306000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c39523aa8a52fdb1fa1", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c8adc78d892cadd250a", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:54.432000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "Hybrid Analysis", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |", "Alienvault OTX", "https://metro-tmo.com/", "Data Analysis", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "Malicious Score: 10", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "djcodychase.com", "Yara Detections stack_string , Armadillov1xxv2xx", "Yara Detections: DotNET_Reactor", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "https://uszoom.com/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Hacktool", "#lowfi:hstr:trojanspy:win32/bancos", "Metro", "Backdoor:linux/mumblehard", "Ransomware", "Suppobox", "Mimikatz", "Trojandownloader:o97m/bazaloader", "Formbook", "Virut", "Pony - s0453", "Beach research", "Ramnit", "Worm:win32/benjamin", "Pdf.phishing.ttraffrobotinstall-7605656-0", "Virus:dos/metro", "Maltiverse", "Cobalt strike - s0154", "Trojandropper:vbs/swrort", "Alf:trojan:o97m/emotet", "Backdoor:win32/zbot", "Backdoor:win32/outbreak", "Trojan:win32/installcore", "Win.keylogger.susppack-9876601-0", "Irata", "Cobalt strike", "Emotet", "Win32.meredrop checkin", "Alf:pua:win32/fusioncore", "Squirrelwaffle", "Vidar", "Artemis", "Win.trojan.sdum-9807706-0", "Backdoor:msil/bladabindi", "Quasar rat", "Blacknet rat", "Win.dropper.xtremerat-7708589-0", "Azorult", "Trojanspy", "Alf:pua:win32/opencandy" ], "industries": [ "Telecommunications", "Food", "Gas", "Technology", "Entertainment", "Civil society" ], "unique_indicators": 42043 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/tesco-mobile.com", "whois": "http://whois.domaintools.com/tesco-mobile.com", "domain": "tesco-mobile.com", "hostname": "prepay.tesco-mobile.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "69e1d9cd805ecfc463bed935", "name": "BlackNet RAT clone credit octoseek", "description": "", "modified": "2026-04-18T00:51:09.427000", "created": "2026-04-17T06:57:17.378000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 781, "FileHash-SHA256": 3085, "domain": 528, "URL": 3130, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8508, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6738d3aa876f83738d0", "name": "USZoom [New York , USA] | iPostal1", "description": "", "modified": "2024-07-01T23:00:42.052000", "created": "2024-07-01T00:21:07.491000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": "665bb7679843a6dabe4560e3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 1890, "URL": 10360, "domain": 1799, "hostname": 3994, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 18358, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "657 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a8720daa2d0263a2b1de88", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "Already deeply compromised individuals more at risk of elaborate phone call interception/redirect/transfer from legitimate services. Many different schemes are used to access and nullify victims identity, involves ssn#, bank account information, email exchange text messaging, PDF exchange, Spam sent to all known accounts, password reset, request for ID upload to verify (steal) identity, extensive holds while trying to 'help' you, unannounced credit check ID theft. Ransomware, Linux attack, Botnetwork behavior. Active threat. Linux/Mumblehard backdoor/botnet", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-18T00:34:21.136000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab9d7a0b4116f622b0aa0", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-19T18:05:11.592000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": "65a8720daa2d0263a2b1de88", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5cb329096398f3411f4", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-12-06T16:48:11.311000", "created": "2023-12-06T16:48:11.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5ba6d66424b1992092e", "name": "BlackNet RAT", "description": "", "modified": "2023-12-06T16:47:54.897000", "created": "2023-12-06T16:47:54.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5b2ff4216fe9cd82624", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-12-06T16:47:46.826000", "created": "2023-12-06T16:47:46.826000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c39523aa8a52fdb1fa1", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:38:33.405000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c66e0b02a6dde4a8b7a", "name": "BlackNet RAT", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:18.306000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c39523aa8a52fdb1fa1", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://prepay.tesco-mobile.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://prepay.tesco-mobile.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776681779.9833558 }