{ "type": "URL", "indicator": "https://schema.org/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://schema.org/", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain schema.org", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain schema.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3155700859, "indicator": "https://schema.org/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69d967590f40c612c90ce84f", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-04-19T09:05:10.432000", "created": "2026-04-10T21:10:49.749000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "APKmirror", "ILOVEYOUBABY", "No Problems", "Christmas Tree EXEC Code Red worm Computer virus Nimda", "Wanna Cry", "APK", "DC RAT", "Emotnet", "Redline Swiper", "Open Door", "Bankers Document", "Y2K", "wsscript.exe, VBE", "Compliance Lock Trap", "Globalsign 2020 (potentially exploited)", "Heuristic Smear", "Gatsby Library Loader DLL", "w31999", "UofA" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Micro - Dates to look for specific: April/May/June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Entrust to Sectigo- Review vendors", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Digi/Global Sign - audit 2020 digital intersect", "Proton.me/Zenbox: Audit July 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Y2K", "US, Philippines, Ukraine, Iran, China. Alberta.", "France", "Germany, Austria, and Switzerland GmbH", "Gatsby Library Loader, DLL", "Spellbinding! Indeed. SpellEditor.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3516, "hostname": 1614, "CVE": 7, "URL": 1806, "domain": 1416, "IPv4": 888, "FileHash-MD5": 731, "FileHash-SHA1": 787, "CIDR": 6, "email": 27, "IPv6": 10, "JA3": 2 }, "indicator_count": 10810, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e2c7b1853bf078af9a2866", "name": "CAPE Sandbox undefined", "description": "", "modified": "2026-04-18T04:18:55.820000", "created": "2026-04-17T23:52:17.056000", "tags": [ "settings", "first counter", "default", "inprocserver32", "mbisslshort", "bearer", "mwdb", "bazaar", "sha3384", "ssdeep", "info", "bridge", "accept", "date", "agent", "shutdown", "root", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776470073&Signature=Az6LmaO0Ym5MKTBxri4mRH8TsIMHTPjGhKf7HB%2BHbmAk8XD%2Fk7rkH45xODMAg%2BhghaLCCesdheOqanF%2Fewi4x9eJsFd5ly6xpLteVadZVaHMWjTIMnLWbsq%2BiCm0GrE2aA4MptNKtTU5y8axflSdKnYhLcMtkbBgD6NYhypoPDDDFLBEtQ67Cm8rAzGBr05lDzEzHscmIGtfJzBB65OiRVfgxRbhmOd3SBJDCfnjUb58A9YbwSwS" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 468, "FileHash-MD5": 1056, "FileHash-SHA1": 848, "FileHash-SHA256": 880, "URL": 644, "hostname": 992, "domain": 302, "CIDR": 48, "email": 18, "CVE": 4 }, "indicator_count": 5260, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf4aaf485e182cdfef51e0", "name": "VirusTotal report\n for index.html", "description": "", "modified": "2026-04-03T05:05:51.290000", "created": "2026-04-03T05:05:51.290000", "tags": [ "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "meta", "phishing", "next", "cohasset high school", "massachusetts", "nadeam nahas", "cryptomining", "wcvb", "cohasset", "gordon", "nahas", "department", "cohasset police", "crypto mining", "karen anderson", "high school", "school", "bitcoin", "copy", "https", "urls", "html page", "layer protocol", "united", "title", "air assault", "band", "script", "press", "hold", "doctype html", "access", "head", "perimeterx", "pxosx7m0dx", "import", "body", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192470&Signature=nKlj9vgreN7fYV3U1aG4fv22mUc84blejB1PyhBS4HoWpTcNOqIPDeDH2EU%2BDhrXFrxgNPDfk3m7ZF%2F2VFHNyw%2Fy18TAd1tQZFPmtvCToOOAhp4iER3r08E4vTUOKs4vvPog5yOhlCgy4CJ3K8HbuHA8QH70Xvh1Tuo%2Fi79a3%2FDzxZ5hNMVKsKLXJagoxjHCd22TcfjGcdxpo1%2BYcbwUEXdFba06B1lUSsD8A%2B5X%2BSQdX%2FYfiI8g", "https://www.wcvb.com/article/cohasset-massachusetts-school-employee-power-cryptocurrency-mine/43025932", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192564&Signature=bI%2FmFLlckahzDU%2FSDsxXds3czan%2BiIJWhk9ISJRpdCEp7pezQxiWJLiEt13K1Rra8HT9gGSndmBMCsZ3NF46U1JNWcVLzOCiX9Munkk3nn%2BFYv5OJFsJgqkcWu%2F8Q0WDNu%2FURM8wWERVypqMET%2FQwRNd9YHCxjD0j7v0T3XoXaTlWlBFBrShH05u3XPLaW76S8zT69nl8TDRX59iXZrgFHm0v%2FbksZ10TIJ%2BkzCS7CRdNRaqmSI3", "https://www.facebook.com/groups/2387525621437001/posts/2775911069265119/", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192713&Signature=iX6awMq82XItc5YWXGjoiAr6mGBE7yEqoAv6iPmemNzbuRwWI2nsDjbV5nEvfIl7MtjHOMVwDCRv%2BZ2sjFbIZrahyniPpoGrg69FjdfFMyQPzsYv1Bg5snry%2FW22ROJl%2BMYxKIK1x9hvxXnOtz3SCOY7a31RavAEL%2Fj1rXwDIjrOI%2BtBuen3TYw4ANLBvSUFgMc1FyJpbKIrA%2BIQFzSDTi%2Fa0d9iSrA0Y3shshUY3yMDCspB", "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192866&Signature=GgQ76qxY14JaBRGE9w93sbvGI6fl4dPQTxyj4aZlFxsdTWtcYcrMMy5JoQR3aqlBBJrMh19x%2F7%2BJpxBOvHM4CIqSetvdLGlMyJoHTcYJODToEwpJW17TSTZAo5a%2F%2BFnQif%2BRaFVaF9sK6mcWhlcQ0LiRj4ZNO%2FhhAApJM0q3P6KXEuZ%2BTC%2FD%2Bcumt7r8nsdEXwRFQnIKr1dvupZqQVzDJ9%2BA9v7rFKrMcX0adiJp8Mgdih1Swf", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192911&Signature=Iyin7WLwS5Yl%2BLqBc2hNsfMx0vCUDhnnRASgy%2FOR1INoV9I%2FEIwn%2B9EgbBOtpw61w58DMWehC2Zn4kDGLX1D0q1v%2F7i6nAnnTs6fGlksqivhTOBDJLxqo9H2RLeBcFmcT8UDJnz1iRhPvMXVZ%2FEmFDz3WBDyNeoALRLw3ak6DhNDKaxFbjnRHZrmc%2BeEEk9SPXctF7Qd597QPZUzzNLdXY9LvbK2VzgZSdtddTiut7lD1ZHA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Electricity" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 70, "URL": 117, "domain": 13, "FileHash-MD5": 7, "FileHash-SHA1": 4, "hostname": 66, "IPv4": 42 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf4aaed5e28797e2096a95", "name": "VirusTotal report\n for index.html", "description": "", "modified": "2026-04-03T05:05:50.814000", "created": "2026-04-03T05:05:50.814000", "tags": [ "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "meta", "phishing", "next", "cohasset high school", "massachusetts", "nadeam nahas", "cryptomining", "wcvb", "cohasset", "gordon", "nahas", "department", "cohasset police", "crypto mining", "karen anderson", "high school", "school", "bitcoin", "copy", "https", "urls", "html page", "layer protocol", "united", "title", "air assault", "band", "script", "press", "hold", "doctype html", "access", "head", "perimeterx", "pxosx7m0dx", "import", "body", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192470&Signature=nKlj9vgreN7fYV3U1aG4fv22mUc84blejB1PyhBS4HoWpTcNOqIPDeDH2EU%2BDhrXFrxgNPDfk3m7ZF%2F2VFHNyw%2Fy18TAd1tQZFPmtvCToOOAhp4iER3r08E4vTUOKs4vvPog5yOhlCgy4CJ3K8HbuHA8QH70Xvh1Tuo%2Fi79a3%2FDzxZ5hNMVKsKLXJagoxjHCd22TcfjGcdxpo1%2BYcbwUEXdFba06B1lUSsD8A%2B5X%2BSQdX%2FYfiI8g", "https://www.wcvb.com/article/cohasset-massachusetts-school-employee-power-cryptocurrency-mine/43025932", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192564&Signature=bI%2FmFLlckahzDU%2FSDsxXds3czan%2BiIJWhk9ISJRpdCEp7pezQxiWJLiEt13K1Rra8HT9gGSndmBMCsZ3NF46U1JNWcVLzOCiX9Munkk3nn%2BFYv5OJFsJgqkcWu%2F8Q0WDNu%2FURM8wWERVypqMET%2FQwRNd9YHCxjD0j7v0T3XoXaTlWlBFBrShH05u3XPLaW76S8zT69nl8TDRX59iXZrgFHm0v%2FbksZ10TIJ%2BkzCS7CRdNRaqmSI3", "https://www.facebook.com/groups/2387525621437001/posts/2775911069265119/", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192713&Signature=iX6awMq82XItc5YWXGjoiAr6mGBE7yEqoAv6iPmemNzbuRwWI2nsDjbV5nEvfIl7MtjHOMVwDCRv%2BZ2sjFbIZrahyniPpoGrg69FjdfFMyQPzsYv1Bg5snry%2FW22ROJl%2BMYxKIK1x9hvxXnOtz3SCOY7a31RavAEL%2Fj1rXwDIjrOI%2BtBuen3TYw4ANLBvSUFgMc1FyJpbKIrA%2BIQFzSDTi%2Fa0d9iSrA0Y3shshUY3yMDCspB", "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192866&Signature=GgQ76qxY14JaBRGE9w93sbvGI6fl4dPQTxyj4aZlFxsdTWtcYcrMMy5JoQR3aqlBBJrMh19x%2F7%2BJpxBOvHM4CIqSetvdLGlMyJoHTcYJODToEwpJW17TSTZAo5a%2F%2BFnQif%2BRaFVaF9sK6mcWhlcQ0LiRj4ZNO%2FhhAApJM0q3P6KXEuZ%2BTC%2FD%2Bcumt7r8nsdEXwRFQnIKr1dvupZqQVzDJ9%2BA9v7rFKrMcX0adiJp8Mgdih1Swf", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192911&Signature=Iyin7WLwS5Yl%2BLqBc2hNsfMx0vCUDhnnRASgy%2FOR1INoV9I%2FEIwn%2B9EgbBOtpw61w58DMWehC2Zn4kDGLX1D0q1v%2F7i6nAnnTs6fGlksqivhTOBDJLxqo9H2RLeBcFmcT8UDJnz1iRhPvMXVZ%2FEmFDz3WBDyNeoALRLw3ak6DhNDKaxFbjnRHZrmc%2BeEEk9SPXctF7Qd597QPZUzzNLdXY9LvbK2VzgZSdtddTiut7lD1ZHA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Electricity" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 70, "URL": 117, "domain": 13, "FileHash-MD5": 7, "FileHash-SHA1": 4, "hostname": 66, "IPv4": 42 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c9dcbadbaa7b984894b3f2", "name": "VirusTotal report\n for document.html", "description": "", "modified": "2026-03-30T02:20:52.336000", "created": "2026-03-30T02:15:22.605000", "tags": [ "performs dns", "https", "united", "urls", "tls version", "mitre attack", "network info", "processes extra", "udp traffic", "t1055 process", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0079afbd3f097dfe5e8c0e96e7621bafccc334b11e4c6a0b7ad8c33830137c07_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774836979&Signature=nT3KwHpdATQPLVw62DZITrj18YBMfzDXdNaoxKNiqQ3tQIdbR0rb3AvFrVPTbJOgIyBC7JgTIQMr0Ftyr7Uq4o64jKYFzj70LDdM5M1fJC%2BRV3WU15fdKzBHRLtIt2U5qY1gUY2BvnbDxzzmYKH%2F5CpyqgzqVgZM1lvV7XX8lpMj4f%2FvaDU7w3AEOKwCPP7jQ8x%2B21mOqZVMT%2FSu9bwxQzmd3dJV%2FtIoDyhx5zytFKuqmLHZ4dW%2F2GIJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 14, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 112, "URL": 198, "domain": 40, "hostname": 96 }, "indicator_count": 466, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a823f8dbade2ab32ee77", "name": "Remote Access |Trick Clicks | C2 | False evidence appearing real. Content reputation.", "description": "", "modified": "2023-12-06T16:58:11.569000", "created": "2023-12-06T16:58:11.569000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-SHA256": 598, "hostname": 403, "domain": 583, "URL": 1814, "FileHash-MD5": 175, "FileHash-SHA1": 95 }, "indicator_count": 3675, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6522804c01930c8d2f1ad71f", "name": "Remote Access |Trick Clicks | C2 | False evidence appearing real. Content reputation.", "description": "Unrelated websites successfully flood , and dismantle reputations, marketing efforts of targets who has and lost 100% online visibility. Cyber criminals set up malicious websites, that drive down reputation, relevant media of target. The domains are traps popular w/some hackers or malicious red team groups typically hired by attorneys. Clicks, revenue flow to cyber criminals through malicious redirects, AGGRESSIVE social engineering, intellectual property abuse and obnoxious distraction. Contact is often made to trick target into believing their is interested in their product, body of work. Legal docs or funds may be exchange, giving cyber criminal access, email, clouds, Dropbox, forced login abuse, cloud share, phone number, C2, payment methods, banking, privilege to distribute, falsify ad campaigns of target. It's complicated but practices to frustrate , impoverish, profit, track, silence target. Malicious intent. Heavy tracking, core communication service swap.", "modified": "2023-11-07T08:04:06.581000", "created": "2023-10-08T10:11:22.600000", "tags": [ "heur", "cyber threat", "engineering", "covid19", "united", "phishing site", "telefonica peru", "malicious site", "control server", "phishing", "suppobox", "malware", "team", "ransomware", "download", "facebook", "daum", "cobalt strike", "pony", "artemis", "simda", "sodinokibi", "zbot", "bank", "feodo", "laplasclipper", "squirrelwaffle", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "revil", "matsnu", "service", "generic", "malicious", "emotet", "br", "trojanspy", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware site", "blacklist", "alexa", "malicious url", "detection list", "INDICATOR ROLE TITLE DESCRIPTION EXPIRATION RELATED PULSES URL ", "C2", "command_and_control", "nr-data", "cyber crime", "impersonation", "fraud", "intellectual property", "targets", "kedence", "song culture", "tsara lynn", "k\u00e9dence", "tsara", "tsara brashears", "social engineering", "interface exchange", "abuse", "privilege", "indicator", "file", "pattern match", "ascii text", "appdata", "windows nt", "script", "mitre att", "ck id", "show technique", "hybrid", "general", "local", "forced login", "content reputation", "reputation", "scheme", "crime", "cyber criminals", "arizona", "colorado", "newyork", "british", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata alerts", "event category", "description sid", "suricata", "suricata", "cloud", "device remotwd", "remote attack", "remote controlled devices", "tracking", "spyware", "florida", "united states", "canada", "estonia", "cyber criminal", "alert" ], "references": [ "smartwishlist_1_.js", "https://www.hybrid-analysis.com/sample/ef02a04e1487fd373923ef2aa42b3d9af8d5fd600e5198150283b31aa7ed7558", "CVE-2012-1856", "CVE-2013-1331", "CVE-2017-8570", "CVE-2017-0147", "CVE-2017-11882", "CVE-2017-0199", "CVE-2018-8453", "https://the.sciencebehindecommerce.com/d9core", "https://pixel.tapad.com/idsync/ex/push static-tracking.klaviyo.com u002dtracking.klaviyo.com", "https://www.miraclebrand.co/apps/wonderment/tracking", "remote-access.net", "dev.remote-access.net", "hubspot.remote-access.net", "http://avient.remote-access.net/", "qa.remote-access.net", "http://www.remote-access.net", "https://avient.remote-access.net", "bam.nr-data.net", "appleaccessory.online", "init.ess.apple.com", "tv.apple.com", "http://icloud.ypcdce.com", "dr4qe3ddw9y32.cloudfront.net", "http://45.159.189.105/bot/regex", "http://clipper.guru/bot/regex", "http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34", "cloud.smartwishlist.webmarked.net", "http://dialacake.com/mumbai/yellow-pineapple-cake-2770.html", "https://hubspot.remote-access.net", "icloud.ypcdce.com", "Research and Data analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BR", "display_name": "BR", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Emotet - S0367", "display_name": "Emotet - S0367", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Virus:Win32/Daum", "display_name": "Virus:Win32/Daum", "target": "/malware/Virus:Win32/Daum" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Backdoor:PHP/Artemis", "display_name": "Backdoor:PHP/Artemis", "target": "/malware/Backdoor:PHP/Artemis" }, { "id": "TEL:HackTool:Win32/ArtemisUser", "display_name": "TEL:HackTool:Win32/ArtemisUser", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "REvil (ELF)", "display_name": "REvil (ELF)", "target": null }, { "id": "Trojan:Win32/Matsnu", "display_name": "Trojan:Win32/Matsnu", "target": "/malware/Trojan:Win32/Matsnu" }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "hostname": 403, "domain": 583, "URL": 1814, "FileHash-MD5": 175, "FileHash-SHA1": 95, "FileHash-SHA256": 598 }, "indicator_count": 3675, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1b570ce3f6227774113b", "name": "Remote Access |Trick Clicks | C2 | False evidence appearing real. ", "description": "", "modified": "2023-11-07T08:04:06.581000", "created": "2023-10-30T02:56:23.462000", "tags": [ "heur", "cyber threat", "engineering", "covid19", "united", "phishing site", "telefonica peru", "malicious site", "control server", "phishing", "suppobox", "malware", "team", "ransomware", "download", "facebook", "daum", "cobalt strike", "pony", "artemis", "simda", "sodinokibi", "zbot", "bank", "feodo", "laplasclipper", "squirrelwaffle", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "revil", "matsnu", "service", "generic", "malicious", "emotet", "br", "trojanspy", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware site", "blacklist", "alexa", "malicious url", "detection list", "INDICATOR ROLE TITLE DESCRIPTION EXPIRATION RELATED PULSES URL ", "C2", "command_and_control", "nr-data", "cyber crime", "impersonation", "fraud", "intellectual property", "targets", "kedence", "song culture", "tsara lynn", "k\u00e9dence", "tsara", "tsara brashears", "social engineering", "interface exchange", "abuse", "privilege", "indicator", "file", "pattern match", "ascii text", "appdata", "windows nt", "script", "mitre att", "ck id", "show technique", "hybrid", "general", "local", "forced login", "content reputation", "reputation", "scheme", "crime", "cyber criminals", "arizona", "colorado", "newyork", "british", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata alerts", "event category", "description sid", "suricata", "suricata", "cloud", "device remotwd", "remote attack", "remote controlled devices", "tracking", "spyware", "florida", "united states", "canada", "estonia", "cyber criminal", "alert" ], "references": [ "smartwishlist_1_.js", "https://www.hybrid-analysis.com/sample/ef02a04e1487fd373923ef2aa42b3d9af8d5fd600e5198150283b31aa7ed7558", "CVE-2012-1856", "CVE-2013-1331", "CVE-2017-8570", "CVE-2017-0147", "CVE-2017-11882", "CVE-2017-0199", "CVE-2018-8453", "https://the.sciencebehindecommerce.com/d9core", "https://pixel.tapad.com/idsync/ex/push static-tracking.klaviyo.com u002dtracking.klaviyo.com", "https://www.miraclebrand.co/apps/wonderment/tracking", "remote-access.net", "dev.remote-access.net", "hubspot.remote-access.net", "http://avient.remote-access.net/", "qa.remote-access.net", "http://www.remote-access.net", "https://avient.remote-access.net", "bam.nr-data.net", "appleaccessory.online", "init.ess.apple.com", "tv.apple.com", "http://icloud.ypcdce.com", "dr4qe3ddw9y32.cloudfront.net", "http://45.159.189.105/bot/regex", "http://clipper.guru/bot/regex", "http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34", "cloud.smartwishlist.webmarked.net", "http://dialacake.com/mumbai/yellow-pineapple-cake-2770.html", "https://hubspot.remote-access.net", "icloud.ypcdce.com", "Research and Data analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BR", "display_name": "BR", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Emotet - S0367", "display_name": "Emotet - S0367", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Virus:Win32/Daum", "display_name": "Virus:Win32/Daum", "target": "/malware/Virus:Win32/Daum" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Backdoor:PHP/Artemis", "display_name": "Backdoor:PHP/Artemis", "target": "/malware/Backdoor:PHP/Artemis" }, { "id": "TEL:HackTool:Win32/ArtemisUser", "display_name": "TEL:HackTool:Win32/ArtemisUser", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "REvil (ELF)", "display_name": "REvil (ELF)", "target": null }, { "id": "Trojan:Win32/Matsnu", "display_name": "Trojan:Win32/Matsnu", "target": "/malware/Trojan:Win32/Matsnu" }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "6522804c01930c8d2f1ad71f", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "hostname": 403, "domain": 583, "URL": 1814, "FileHash-MD5": 175, "FileHash-SHA1": 95, "FileHash-SHA256": 598 }, "indicator_count": 3675, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6221551b54a802150336dc28", "name": "https://www.casarforcongress.com/_partials/wix-thunderbolt/dist/clientWorker.f2cee111.bundle.min.js", "description": "", "modified": "2022-03-03T23:54:03.339000", "created": "2022-03-03T23:54:03.339000", "tags": [ "location street", "name", "location state", "location city", "name t", "image width", "image height", "home page", "site image", "image", "next", "date", "alexa", "code", "null", "locale", "info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "URL": 84, "FileHash-SHA256": 18, "domain": 23, "FileHash-MD5": 1 }, "indicator_count": 164, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1507 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "CVE-2013-1331", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192713&Signature=iX6awMq82XItc5YWXGjoiAr6mGBE7yEqoAv6iPmemNzbuRwWI2nsDjbV5nEvfIl7MtjHOMVwDCRv%2BZ2sjFbIZrahyniPpoGrg69FjdfFMyQPzsYv1Bg5snry%2FW22ROJl%2BMYxKIK1x9hvxXnOtz3SCOY7a31RavAEL%2Fj1rXwDIjrOI%2BtBuen3TYw4ANLBvSUFgMc1FyJpbKIrA%2BIQFzSDTi%2Fa0d9iSrA0Y3shshUY3yMDCspB", "tv.apple.com", "http://dialacake.com/mumbai/yellow-pineapple-cake-2770.html", "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192866&Signature=GgQ76qxY14JaBRGE9w93sbvGI6fl4dPQTxyj4aZlFxsdTWtcYcrMMy5JoQR3aqlBBJrMh19x%2F7%2BJpxBOvHM4CIqSetvdLGlMyJoHTcYJODToEwpJW17TSTZAo5a%2F%2BFnQif%2BRaFVaF9sK6mcWhlcQ0LiRj4ZNO%2FhhAApJM0q3P6KXEuZ%2BTC%2FD%2Bcumt7r8nsdEXwRFQnIKr1dvupZqQVzDJ9%2BA9v7rFKrMcX0adiJp8Mgdih1Swf", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "Digi/Global Sign - audit 2020 digital intersect", "remote-access.net", "https://www.wcvb.com/article/cohasset-massachusetts-school-employee-power-cryptocurrency-mine/43025932", "Gatsby Library Loader, DLL", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192564&Signature=bI%2FmFLlckahzDU%2FSDsxXds3czan%2BiIJWhk9ISJRpdCEp7pezQxiWJLiEt13K1Rra8HT9gGSndmBMCsZ3NF46U1JNWcVLzOCiX9Munkk3nn%2BFYv5OJFsJgqkcWu%2F8Q0WDNu%2FURM8wWERVypqMET%2FQwRNd9YHCxjD0j7v0T3XoXaTlWlBFBrShH05u3XPLaW76S8zT69nl8TDRX59iXZrgFHm0v%2FbksZ10TIJ%2BkzCS7CRdNRaqmSI3", "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192470&Signature=nKlj9vgreN7fYV3U1aG4fv22mUc84blejB1PyhBS4HoWpTcNOqIPDeDH2EU%2BDhrXFrxgNPDfk3m7ZF%2F2VFHNyw%2Fy18TAd1tQZFPmtvCToOOAhp4iER3r08E4vTUOKs4vvPog5yOhlCgy4CJ3K8HbuHA8QH70Xvh1Tuo%2Fi79a3%2FDzxZ5hNMVKsKLXJagoxjHCd22TcfjGcdxpo1%2BYcbwUEXdFba06B1lUSsD8A%2B5X%2BSQdX%2FYfiI8g", "https://avient.remote-access.net", "https://the.sciencebehindecommerce.com/d9core", "dr4qe3ddw9y32.cloudfront.net", "*otc.greatcall.com [Botnetwork]", "http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "France", "https://pixel.tapad.com/idsync/ex/push static-tracking.klaviyo.com u002dtracking.klaviyo.com", "US, Philippines, Ukraine, Iran, China. Alberta.", "https://www.miraclebrand.co/apps/wonderment/tracking", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]", "APKMirror https://www.apkmirror.com", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Proton.me/Zenbox: Audit July 2025", "http://avient.remote-access.net/", "https://hubspot.remote-access.net", "appleaccessory.online", "Amazon- Check new cert subscribers on or around Sept 15 2025", "icloud.ypcdce.com", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "This document might expose someone, more than another.", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "http://45.159.189.105/bot/regex", "http://clipper.guru/bot/regex", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "dev.remote-access.net", "Spellbinding! Indeed. SpellEditor.exe", "http://www.remote-access.net", "Micro - Dates to look for specific: April/May/June 2025", "cloud.smartwishlist.webmarked.net", "init.ess.apple.com", "Entrust to Sectigo- Review vendors", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "https://www.facebook.com/groups/2387525621437001/posts/2775911069265119/", "https://vtbehaviour.commondatastorage.googleapis.com/0079afbd3f097dfe5e8c0e96e7621bafccc334b11e4c6a0b7ad8c33830137c07_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774836979&Signature=nT3KwHpdATQPLVw62DZITrj18YBMfzDXdNaoxKNiqQ3tQIdbR0rb3AvFrVPTbJOgIyBC7JgTIQMr0Ftyr7Uq4o64jKYFzj70LDdM5M1fJC%2BRV3WU15fdKzBHRLtIt2U5qY1gUY2BvnbDxzzmYKH%2F5CpyqgzqVgZM1lvV7XX8lpMj4f%2FvaDU7w3AEOKwCPP7jQ8x%2B21mOqZVMT%2FSu9bwxQzmd3dJV%2FtIoDyhx5zytFKuqmLHZ4dW%2F2GIJ", "tulach.cc. [Malevolent | Modified description]", "qa.remote-access.net", "CVE-2017-0147", "CVE-2017-8570", "People who exploit this put the US at risk. Bottom line.", "smartwishlist_1_.js", "CVE-2018-8453", "Google Docs 1.25.202.02 APK Download by Google LLC", "https://www.hybrid-analysis.com/sample/ef02a04e1487fd373923ef2aa42b3d9af8d5fd600e5198150283b31aa7ed7558", "Y2K", "http://icloud.ypcdce.com", "CVE-2017-0199", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "CVE-2017-11882", "CVE-2012-1856", "hubspot.remote-access.net", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "bam.nr-data.net", "Research and Data analysis", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "Germany, Austria, and Switzerland GmbH", "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192911&Signature=Iyin7WLwS5Yl%2BLqBc2hNsfMx0vCUDhnnRASgy%2FOR1INoV9I%2FEIwn%2B9EgbBOtpw61w58DMWehC2Zn4kDGLX1D0q1v%2F7i6nAnnTs6fGlksqivhTOBDJLxqo9H2RLeBcFmcT8UDJnz1iRhPvMXVZ%2FEmFDz3WBDyNeoALRLw3ak6DhNDKaxFbjnRHZrmc%2BeEEk9SPXctF7Qd597QPZUzzNLdXY9LvbK2VzgZSdtddTiut7lD1ZHA", "https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776470073&Signature=Az6LmaO0Ym5MKTBxri4mRH8TsIMHTPjGhKf7HB%2BHbmAk8XD%2Fk7rkH45xODMAg%2BhghaLCCesdheOqanF%2Fewi4x9eJsFd5ly6xpLteVadZVaHMWjTIMnLWbsq%2BiCm0GrE2aA4MptNKtTU5y8axflSdKnYhLcMtkbBgD6NYhypoPDDDFLBEtQ67Cm8rAzGBr05lDzEzHscmIGtfJzBB65OiRVfgxRbhmOd3SBJDCfnjUb58A9YbwSwS" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Qbot" ], "malware_families": [ "Zeus", "Ramnit", "Formbook", "Azorult - s0344", "Maltiverse", "Laplasclipper", "Trojan:win32/matsnu", "Trojanspy", "Br", "Backdoor:win32/zbot", "Emotet - s0367", "Revil (elf)", "Roblox", "Suppobox", "Feodo", "Cobalt strike", "Backdoor:php/artemis", "Pony - s0453", "Ransomware", "Squirrelwaffle", "Backdoor:win32/simda", "Tel:hacktool:win32/artemisuser", "Virus:win32/daum", "Virut", "Tulach malware" ], "industries": [ "Government", "Electricity", "Telecommunications" ], "unique_indicators": 49097 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/schema.org", "whois": "http://whois.domaintools.com/schema.org", "domain": "schema.org", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69d967590f40c612c90ce84f", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-04-19T09:05:10.432000", "created": "2026-04-10T21:10:49.749000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "APKmirror", "ILOVEYOUBABY", "No Problems", "Christmas Tree EXEC Code Red worm Computer virus Nimda", "Wanna Cry", "APK", "DC RAT", "Emotnet", "Redline Swiper", "Open Door", "Bankers Document", "Y2K", "wsscript.exe, VBE", "Compliance Lock Trap", "Globalsign 2020 (potentially exploited)", "Heuristic Smear", "Gatsby Library Loader DLL", "w31999", "UofA" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Micro - Dates to look for specific: April/May/June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Entrust to Sectigo- Review vendors", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Digi/Global Sign - audit 2020 digital intersect", "Proton.me/Zenbox: Audit July 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Y2K", "US, Philippines, Ukraine, Iran, China. Alberta.", "France", "Germany, Austria, and Switzerland GmbH", "Gatsby Library Loader, DLL", "Spellbinding! Indeed. SpellEditor.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3516, "hostname": 1614, "CVE": 7, "URL": 1806, "domain": 1416, "IPv4": 888, "FileHash-MD5": 731, "FileHash-SHA1": 787, "CIDR": 6, "email": 27, "IPv6": 10, "JA3": 2 }, "indicator_count": 10810, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e2c7b1853bf078af9a2866", "name": "CAPE Sandbox undefined", "description": "", "modified": "2026-04-18T04:18:55.820000", "created": "2026-04-17T23:52:17.056000", "tags": [ "settings", "first counter", "default", "inprocserver32", "mbisslshort", "bearer", "mwdb", "bazaar", "sha3384", "ssdeep", "info", "bridge", "accept", "date", "agent", "shutdown", "root", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776470073&Signature=Az6LmaO0Ym5MKTBxri4mRH8TsIMHTPjGhKf7HB%2BHbmAk8XD%2Fk7rkH45xODMAg%2BhghaLCCesdheOqanF%2Fewi4x9eJsFd5ly6xpLteVadZVaHMWjTIMnLWbsq%2BiCm0GrE2aA4MptNKtTU5y8axflSdKnYhLcMtkbBgD6NYhypoPDDDFLBEtQ67Cm8rAzGBr05lDzEzHscmIGtfJzBB65OiRVfgxRbhmOd3SBJDCfnjUb58A9YbwSwS" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 468, "FileHash-MD5": 1056, "FileHash-SHA1": 848, "FileHash-SHA256": 880, "URL": 644, "hostname": 992, "domain": 302, "CIDR": 48, "email": 18, "CVE": 4 }, "indicator_count": 5260, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf4aaf485e182cdfef51e0", "name": "VirusTotal report\n for index.html", "description": "", "modified": "2026-04-03T05:05:51.290000", "created": "2026-04-03T05:05:51.290000", "tags": [ "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "meta", "phishing", "next", "cohasset high school", "massachusetts", "nadeam nahas", "cryptomining", "wcvb", "cohasset", "gordon", "nahas", "department", "cohasset police", "crypto mining", "karen anderson", "high school", "school", "bitcoin", "copy", "https", "urls", "html page", "layer protocol", "united", "title", "air assault", "band", "script", "press", "hold", "doctype html", "access", "head", "perimeterx", "pxosx7m0dx", "import", "body", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192470&Signature=nKlj9vgreN7fYV3U1aG4fv22mUc84blejB1PyhBS4HoWpTcNOqIPDeDH2EU%2BDhrXFrxgNPDfk3m7ZF%2F2VFHNyw%2Fy18TAd1tQZFPmtvCToOOAhp4iER3r08E4vTUOKs4vvPog5yOhlCgy4CJ3K8HbuHA8QH70Xvh1Tuo%2Fi79a3%2FDzxZ5hNMVKsKLXJagoxjHCd22TcfjGcdxpo1%2BYcbwUEXdFba06B1lUSsD8A%2B5X%2BSQdX%2FYfiI8g", "https://www.wcvb.com/article/cohasset-massachusetts-school-employee-power-cryptocurrency-mine/43025932", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192564&Signature=bI%2FmFLlckahzDU%2FSDsxXds3czan%2BiIJWhk9ISJRpdCEp7pezQxiWJLiEt13K1Rra8HT9gGSndmBMCsZ3NF46U1JNWcVLzOCiX9Munkk3nn%2BFYv5OJFsJgqkcWu%2F8Q0WDNu%2FURM8wWERVypqMET%2FQwRNd9YHCxjD0j7v0T3XoXaTlWlBFBrShH05u3XPLaW76S8zT69nl8TDRX59iXZrgFHm0v%2FbksZ10TIJ%2BkzCS7CRdNRaqmSI3", "https://www.facebook.com/groups/2387525621437001/posts/2775911069265119/", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192713&Signature=iX6awMq82XItc5YWXGjoiAr6mGBE7yEqoAv6iPmemNzbuRwWI2nsDjbV5nEvfIl7MtjHOMVwDCRv%2BZ2sjFbIZrahyniPpoGrg69FjdfFMyQPzsYv1Bg5snry%2FW22ROJl%2BMYxKIK1x9hvxXnOtz3SCOY7a31RavAEL%2Fj1rXwDIjrOI%2BtBuen3TYw4ANLBvSUFgMc1FyJpbKIrA%2BIQFzSDTi%2Fa0d9iSrA0Y3shshUY3yMDCspB", "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192866&Signature=GgQ76qxY14JaBRGE9w93sbvGI6fl4dPQTxyj4aZlFxsdTWtcYcrMMy5JoQR3aqlBBJrMh19x%2F7%2BJpxBOvHM4CIqSetvdLGlMyJoHTcYJODToEwpJW17TSTZAo5a%2F%2BFnQif%2BRaFVaF9sK6mcWhlcQ0LiRj4ZNO%2FhhAApJM0q3P6KXEuZ%2BTC%2FD%2Bcumt7r8nsdEXwRFQnIKr1dvupZqQVzDJ9%2BA9v7rFKrMcX0adiJp8Mgdih1Swf", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192911&Signature=Iyin7WLwS5Yl%2BLqBc2hNsfMx0vCUDhnnRASgy%2FOR1INoV9I%2FEIwn%2B9EgbBOtpw61w58DMWehC2Zn4kDGLX1D0q1v%2F7i6nAnnTs6fGlksqivhTOBDJLxqo9H2RLeBcFmcT8UDJnz1iRhPvMXVZ%2FEmFDz3WBDyNeoALRLw3ak6DhNDKaxFbjnRHZrmc%2BeEEk9SPXctF7Qd597QPZUzzNLdXY9LvbK2VzgZSdtddTiut7lD1ZHA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Electricity" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 70, "URL": 117, "domain": 13, "FileHash-MD5": 7, "FileHash-SHA1": 4, "hostname": 66, "IPv4": 42 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf4aaed5e28797e2096a95", "name": "VirusTotal report\n for index.html", "description": "", "modified": "2026-04-03T05:05:50.814000", "created": "2026-04-03T05:05:50.814000", "tags": [ "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "meta", "phishing", "next", "cohasset high school", "massachusetts", "nadeam nahas", "cryptomining", "wcvb", "cohasset", "gordon", "nahas", "department", "cohasset police", "crypto mining", "karen anderson", "high school", "school", "bitcoin", "copy", "https", "urls", "html page", "layer protocol", "united", "title", "air assault", "band", "script", "press", "hold", "doctype html", "access", "head", "perimeterx", "pxosx7m0dx", "import", "body", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192470&Signature=nKlj9vgreN7fYV3U1aG4fv22mUc84blejB1PyhBS4HoWpTcNOqIPDeDH2EU%2BDhrXFrxgNPDfk3m7ZF%2F2VFHNyw%2Fy18TAd1tQZFPmtvCToOOAhp4iER3r08E4vTUOKs4vvPog5yOhlCgy4CJ3K8HbuHA8QH70Xvh1Tuo%2Fi79a3%2FDzxZ5hNMVKsKLXJagoxjHCd22TcfjGcdxpo1%2BYcbwUEXdFba06B1lUSsD8A%2B5X%2BSQdX%2FYfiI8g", "https://www.wcvb.com/article/cohasset-massachusetts-school-employee-power-cryptocurrency-mine/43025932", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192564&Signature=bI%2FmFLlckahzDU%2FSDsxXds3czan%2BiIJWhk9ISJRpdCEp7pezQxiWJLiEt13K1Rra8HT9gGSndmBMCsZ3NF46U1JNWcVLzOCiX9Munkk3nn%2BFYv5OJFsJgqkcWu%2F8Q0WDNu%2FURM8wWERVypqMET%2FQwRNd9YHCxjD0j7v0T3XoXaTlWlBFBrShH05u3XPLaW76S8zT69nl8TDRX59iXZrgFHm0v%2FbksZ10TIJ%2BkzCS7CRdNRaqmSI3", "https://www.facebook.com/groups/2387525621437001/posts/2775911069265119/", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192713&Signature=iX6awMq82XItc5YWXGjoiAr6mGBE7yEqoAv6iPmemNzbuRwWI2nsDjbV5nEvfIl7MtjHOMVwDCRv%2BZ2sjFbIZrahyniPpoGrg69FjdfFMyQPzsYv1Bg5snry%2FW22ROJl%2BMYxKIK1x9hvxXnOtz3SCOY7a31RavAEL%2Fj1rXwDIjrOI%2BtBuen3TYw4ANLBvSUFgMc1FyJpbKIrA%2BIQFzSDTi%2Fa0d9iSrA0Y3shshUY3yMDCspB", "https://vtbehaviour.commondatastorage.googleapis.com/5d18dde011474fb33b951576a4f40851a3edb37eed2c085cd54523d7205e9022_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192866&Signature=GgQ76qxY14JaBRGE9w93sbvGI6fl4dPQTxyj4aZlFxsdTWtcYcrMMy5JoQR3aqlBBJrMh19x%2F7%2BJpxBOvHM4CIqSetvdLGlMyJoHTcYJODToEwpJW17TSTZAo5a%2F%2BFnQif%2BRaFVaF9sK6mcWhlcQ0LiRj4ZNO%2FhhAApJM0q3P6KXEuZ%2BTC%2FD%2Bcumt7r8nsdEXwRFQnIKr1dvupZqQVzDJ9%2BA9v7rFKrMcX0adiJp8Mgdih1Swf", "https://vtbehaviour.commondatastorage.googleapis.com/42898d2ebf09851fe965b7055c2ec3c0eb22f029ac013f7f1f0894f2dc9f56ec_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775192911&Signature=Iyin7WLwS5Yl%2BLqBc2hNsfMx0vCUDhnnRASgy%2FOR1INoV9I%2FEIwn%2B9EgbBOtpw61w58DMWehC2Zn4kDGLX1D0q1v%2F7i6nAnnTs6fGlksqivhTOBDJLxqo9H2RLeBcFmcT8UDJnz1iRhPvMXVZ%2FEmFDz3WBDyNeoALRLw3ak6DhNDKaxFbjnRHZrmc%2BeEEk9SPXctF7Qd597QPZUzzNLdXY9LvbK2VzgZSdtddTiut7lD1ZHA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Electricity" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 70, "URL": 117, "domain": 13, "FileHash-MD5": 7, "FileHash-SHA1": 4, "hostname": 66, "IPv4": 42 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c9dcbadbaa7b984894b3f2", "name": "VirusTotal report\n for document.html", "description": "", "modified": "2026-03-30T02:20:52.336000", "created": "2026-03-30T02:15:22.605000", "tags": [ "performs dns", "https", "united", "urls", "tls version", "mitre attack", "network info", "processes extra", "udp traffic", "t1055 process", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0079afbd3f097dfe5e8c0e96e7621bafccc334b11e4c6a0b7ad8c33830137c07_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774836979&Signature=nT3KwHpdATQPLVw62DZITrj18YBMfzDXdNaoxKNiqQ3tQIdbR0rb3AvFrVPTbJOgIyBC7JgTIQMr0Ftyr7Uq4o64jKYFzj70LDdM5M1fJC%2BRV3WU15fdKzBHRLtIt2U5qY1gUY2BvnbDxzzmYKH%2F5CpyqgzqVgZM1lvV7XX8lpMj4f%2FvaDU7w3AEOKwCPP7jQ8x%2B21mOqZVMT%2FSu9bwxQzmd3dJV%2FtIoDyhx5zytFKuqmLHZ4dW%2F2GIJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 14, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 112, "URL": 198, "domain": 40, "hostname": 96 }, "indicator_count": 466, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a823f8dbade2ab32ee77", "name": "Remote Access |Trick Clicks | C2 | False evidence appearing real. Content reputation.", "description": "", "modified": "2023-12-06T16:58:11.569000", "created": "2023-12-06T16:58:11.569000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-SHA256": 598, "hostname": 403, "domain": 583, "URL": 1814, "FileHash-MD5": 175, "FileHash-SHA1": 95 }, "indicator_count": 3675, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://schema.org/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://schema.org/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639366.9582286 }