{ "type": "URL", "indicator": "https://pusher.pdgamedev.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pusher.pdgamedev.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3382022198, "indicator": "https://pusher.pdgamedev.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "65e863bebbf95e0dc5a4169a", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected", "description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-06T12:38:22.052000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea6410c1e1b1185951ef98", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)", "description": "", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-08T01:04:16.906000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": "65e863bebbf95e0dc5a4169a", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657098ff4c59f8ac3f86f613", "name": "v2 of web.basemark.com plus all suggested ioc,s dont forget about the dropped js files from the 2nd hybrid link", "description": "", "modified": "2023-12-06T15:53:35.032000", "created": "2023-12-06T15:53:35.032000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1168, "hostname": 1366, "domain": 412, "URL": 3576, "email": 2, "FileHash-MD5": 61, "FileHash-SHA1": 54 }, "indicator_count": 6639, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657091e3fe3ea67f512143e3", "name": "\ud83d\udea8\ud83d\udea8\ud83d\udea8 groups.google.com/d/msg/littleproxy/IdZ8R1upAHs/0ctP8JwlBaUJ'", "description": "", "modified": "2023-12-06T15:23:15.237000", "created": "2023-12-06T15:23:15.237000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 116, "hostname": 37, "domain": 77, "URL": 131, "FileHash-MD5": 49, "FileHash-SHA1": 48 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6425a2f9c155fd53b9922bcd", "name": "v2 of web.basemark.com plus all suggested ioc,s dont forget about the dropped js files from the 2nd hybrid link", "description": "hope peeps are gona learn from 3cx that false positives are in fact often not false", "modified": "2023-04-29T13:05:05.409000", "created": "2023-03-30T14:55:53.652000", "tags": [ "trojan", "apt", "ansi", "dropped file", "runtime data", "chromeua", "optout", "programfiles", "typeof e", "localappdata", "error", "date", "generator", "path", "null", "void", "win64", "twitter", "this", "critical", "desktop", "dark", "light", "meta", "roboto", "span", "class", "template", "blink", "suspicious", "facebook", "mexico", "malicious", "mozilla", "strings", "qakbot", "://web.basemark.com/result/?4A3D0fmu%1C%00%00%00B%00a%00s%00e%00" ], "references": [ "https://hybrid-analysis.com/sample/e7740c893812cea8e34ffb04331dcc45762dec73def71929bfbabcbfb22e93e9", "https://hybrid-analysis.com/sample/e7740c893812cea8e34ffb04331dcc45762dec73def71929bfbabcbfb22e93e9/641e30763dcad56bc2075661", "http://web.basemark.com/result/?4A3D0fmu%1C%00%00%00B%00a%00s%00e%00m%00a%00r%00k" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 412, "FileHash-SHA256": 1168, "URL": 3576, "hostname": 1366, "email": 2, "FileHash-MD5": 61, "FileHash-SHA1": 54 }, "indicator_count": 6639, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "630e9bb8c96096d82260d703", "name": "\ud83d\udea8\ud83d\udea8\ud83d\udea8 groups.google.com/d/msg/littleproxy/IdZ8R1upAHs/0ctP8JwlBaUJ'", "description": "", "modified": "2022-09-30T00:03:24.809000", "created": "2022-08-30T23:22:32.540000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "data", "decrypted ssl", "windows nt", "size", "sha256", "sha1", "pcap", "seen", "accept", "date", "format", "null", "august", "hybrid", "close", "click", "hosts", "suspicious", "local", "strings" ], "references": [ "https://hybrid-analysis.com/sample/bee5af3003505318165465985eaed9f2c8fac29262091dcb331e8bb347c6bccc/630e9042e0d17261cf7e453f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 37, "URL": 131, "FileHash-SHA256": 116, "domain": 77, "FileHash-MD5": 49, "FileHash-SHA1": 48 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621409a934f539a8b11defb5", "name": "com.sublimetext.3", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T21:52:41.742000", "tags": [ "ssl certificate", "whois record", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "URL": 11, "FileHash-SHA256": 152, "domain": 19, "FileHash-MD5": 1 }, "indicator_count": 195, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1531 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "capitana.onthewifi.com", "http://web.basemark.com/result/?4A3D0fmu%1C%00%00%00B%00a%00s%00e%00m%00a%00r%00k", "FormBook: http://45.159.189.105/bot/regex", "https://hybrid-analysis.com/sample/e7740c893812cea8e34ffb04331dcc45762dec73def71929bfbabcbfb22e93e9/641e30763dcad56bc2075661", "https://hybrid-analysis.com/sample/e7740c893812cea8e34ffb04331dcc45762dec73def71929bfbabcbfb22e93e9", "https://hybrid-analysis.com/sample/bee5af3003505318165465985eaed9f2c8fac29262091dcb331e8bb347c6bccc/630e9042e0d17261cf7e453f", "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "Relic: bam.nr-data.net [Apple Private Data Collection]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32:cryptor", "Trojan:win32/glupteba.km!mtb", "Win.virus.polyransom-5704625-0", "Slf:trojan:win32/grandoreiro.a", "Win32:trojan-gen", "Win32:botx-gen\\ [trj]" ], "industries": [], "unique_indicators": 17054 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pdgamedev.com", "whois": "http://whois.domaintools.com/pdgamedev.com", "domain": "pdgamedev.com", "hostname": "pusher.pdgamedev.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "65e863bebbf95e0dc5a4169a", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected", "description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-06T12:38:22.052000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea6410c1e1b1185951ef98", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)", "description": "", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-08T01:04:16.906000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": "65e863bebbf95e0dc5a4169a", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657098ff4c59f8ac3f86f613", "name": "v2 of web.basemark.com plus all suggested ioc,s dont forget about the dropped js files from the 2nd hybrid link", "description": "", "modified": "2023-12-06T15:53:35.032000", "created": "2023-12-06T15:53:35.032000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1168, "hostname": 1366, "domain": 412, "URL": 3576, "email": 2, "FileHash-MD5": 61, "FileHash-SHA1": 54 }, "indicator_count": 6639, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657091e3fe3ea67f512143e3", "name": "\ud83d\udea8\ud83d\udea8\ud83d\udea8 groups.google.com/d/msg/littleproxy/IdZ8R1upAHs/0ctP8JwlBaUJ'", "description": "", "modified": "2023-12-06T15:23:15.237000", "created": "2023-12-06T15:23:15.237000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 116, "hostname": 37, "domain": 77, "URL": 131, "FileHash-MD5": 49, "FileHash-SHA1": 48 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6425a2f9c155fd53b9922bcd", "name": "v2 of web.basemark.com plus all suggested ioc,s dont forget about the dropped js files from the 2nd hybrid link", "description": "hope peeps are gona learn from 3cx that false positives are in fact often not false", "modified": "2023-04-29T13:05:05.409000", "created": "2023-03-30T14:55:53.652000", "tags": [ "trojan", "apt", "ansi", "dropped file", "runtime data", "chromeua", "optout", "programfiles", "typeof e", "localappdata", "error", "date", "generator", "path", "null", "void", "win64", "twitter", "this", "critical", "desktop", "dark", "light", "meta", "roboto", "span", "class", "template", "blink", "suspicious", "facebook", "mexico", "malicious", "mozilla", "strings", "qakbot", "://web.basemark.com/result/?4A3D0fmu%1C%00%00%00B%00a%00s%00e%00" ], "references": [ "https://hybrid-analysis.com/sample/e7740c893812cea8e34ffb04331dcc45762dec73def71929bfbabcbfb22e93e9", "https://hybrid-analysis.com/sample/e7740c893812cea8e34ffb04331dcc45762dec73def71929bfbabcbfb22e93e9/641e30763dcad56bc2075661", "http://web.basemark.com/result/?4A3D0fmu%1C%00%00%00B%00a%00s%00e%00m%00a%00r%00k" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 412, "FileHash-SHA256": 1168, "URL": 3576, "hostname": 1366, "email": 2, "FileHash-MD5": 61, "FileHash-SHA1": 54 }, "indicator_count": 6639, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "630e9bb8c96096d82260d703", "name": "\ud83d\udea8\ud83d\udea8\ud83d\udea8 groups.google.com/d/msg/littleproxy/IdZ8R1upAHs/0ctP8JwlBaUJ'", "description": "", "modified": "2022-09-30T00:03:24.809000", "created": "2022-08-30T23:22:32.540000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "data", "decrypted ssl", "windows nt", "size", "sha256", "sha1", "pcap", "seen", "accept", "date", "format", "null", "august", "hybrid", "close", "click", "hosts", "suspicious", "local", "strings" ], "references": [ "https://hybrid-analysis.com/sample/bee5af3003505318165465985eaed9f2c8fac29262091dcb331e8bb347c6bccc/630e9042e0d17261cf7e453f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 37, "URL": 131, "FileHash-SHA256": 116, "domain": 77, "FileHash-MD5": 49, "FileHash-SHA1": 48 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621409a934f539a8b11defb5", "name": "com.sublimetext.3", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T21:52:41.742000", "tags": [ "ssl certificate", "whois record", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "URL": 11, "FileHash-SHA256": 152, "domain": 19, "FileHash-MD5": 1 }, "indicator_count": 195, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1531 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pusher.pdgamedev.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pusher.pdgamedev.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780354111.6157496 }