{
"type": "URL",
"indicator": "https://sectigo.com/CPS0",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://sectigo.com/CPS0",
"type": "url",
"type_title": "URL",
"validation": [
{
"source": "akamai",
"message": "Akamai rank: #492",
"name": "Akamai Popular Domain"
},
{
"source": "majestic",
"message": "Whitelisted domain sectigo.com",
"name": "Whitelisted domain"
}
],
"base_indicator": {
"id": 3154884848,
"indicator": "https://sectigo.com/CPS0",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 47,
"pulses": [
{
"id": "69d98d5e88461ed06547690c",
"name": "CAPE ***** GRAMMERsoft. Love Letter ****",
"description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt",
"modified": "2026-04-19T09:05:59.274000",
"created": "2026-04-10T23:53:02.973000",
"tags": [
"cname",
"p2404",
"accept",
"default",
"host",
"strong",
"library",
"p11776139675",
"gmt range",
"p11776090280",
"shutdown",
"generic",
"bits",
"next ur",
"file type",
"ascii text",
"crlf line",
"ms windows",
"pe32",
"drops pe",
"intel",
"yara",
"sigma",
"njrat",
"malicious",
"darkcomet",
"code",
"delphi",
"dbatloader",
"loader",
"fraud",
"notpetya",
"killmbr",
"trojanransom",
"ransomware",
"next",
"settings",
"parent pid",
"full path",
"command line",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"format",
"shell",
"payload",
"kevin",
"revengerat",
"aspack",
"vmprotect",
"meteorite",
"petya",
"infinitylock",
"redline",
"remcos",
"javadropper",
"lokibot",
"guard",
"mono",
"eternalromance",
"exploit",
"badrabbit",
"windows sandbox",
"calls process",
"vbcrlf",
"error resume",
"next dim",
"page",
"loveletter",
"script",
"createobject",
"html",
"meta",
"name",
"title",
"body",
"iloveyou",
"generator",
"philippines",
"loop",
"@grammersoft",
"calls clear",
"ip address",
"cape sandbox",
"bootkit",
"t1055",
"t1497",
"error",
"back",
"pe file",
"network info",
"processes extra",
"sample",
"aslr",
"performs dns",
"t1055 process",
"overview",
"mitre attack",
"overview zenbox",
"none rticon",
"pattern",
"none image",
"file size",
"entity",
"winmm",
"dword",
"locale",
"screensaver",
"alexa",
"stars",
"crypt32",
"ddraw",
"winsta",
"ip traffic",
"lockfile"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp",
"https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2",
"https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t"
],
"public": 1,
"adversary": "@GRAMMERSoft",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1219",
"name": "Remote Access Software",
"display_name": "T1219 - Remote Access Software"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1490",
"name": "Inhibit System Recovery",
"display_name": "T1490 - Inhibit System Recovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 513,
"FileHash-MD5": 613,
"FileHash-SHA1": 373,
"FileHash-SHA256": 569,
"URL": 466,
"hostname": 580,
"domain": 60,
"email": 3,
"CVE": 2,
"JA3": 1
},
"indicator_count": 3180,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "14 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e0941d8d439e7a477874c8",
"name": "Overlay + Exp Certs",
"description": "",
"modified": "2026-04-17T06:42:04.558000",
"created": "2026-04-16T07:47:41.334000",
"tags": [
"gb st",
"salford o",
"sectigo limited",
"sectigo rsa",
"time stamping",
"yara detections",
"legalcopyright",
"iobit",
"cn st",
"sheng l"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 562,
"FileHash-SHA1": 136,
"FileHash-SHA256": 2302,
"URL": 129,
"IPv4": 111,
"domain": 24,
"hostname": 120,
"email": 2,
"JA3": 3
},
"indicator_count": 3389,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b5d3a6f42c76f35980da09",
"name": "CAPE Sandbox- TLP: Amber and Strict",
"description": "Following.",
"modified": "2026-04-13T21:01:18.278000",
"created": "2026-03-14T21:31:18.765000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 78,
"FileHash-SHA1": 95,
"FileHash-SHA256": 86,
"domain": 40,
"hostname": 119,
"URL": 141
},
"indicator_count": 559,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49a4f8a43283f82d150d2",
"name": "CAPE Sandbox - Sysdiag",
"description": "While this may be a prior discovery (uncertain background of it)- it has been my single largest fear. msudosos research suggests: Sysdiag ability to read / write its own. is effectively \"gaslighting\" the operating system. The analyzed file (Hash: fd373...8fd) demonstrates high-level anti-forensic capabilities. Its most dangerous feature is the active interception and rewriting of System Diagnostic (SysDiag) logs to mask its presence.\nTechnical Findings:\nLive Log Tampering: The malware monitors system event streams in real-time. It identifies entries related to its own execution (process starts, registry changes) and deletes or modifies them before they are committed to disk.\nSandbox Subversion: By \"writing its own\" diagnostic data, it feeds the CAPE sandbox false information, making malicious actions appear as standard Windows telemetry.\nPrivilege Escalation: To rewrite these logs, the malware is successfully gaining SYSTEM-level permissions, likely via exploit or token stealing.",
"modified": "2026-04-13T00:21:24.884000",
"created": "2026-03-13T23:14:23.778000",
"tags": [
"pe32",
"intel",
"ms windows",
"win16 ne",
"icons library",
"os2 executable",
"pe32 installer",
"install system",
"compiler",
"linker"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 19,
"FileHash-SHA1": 22,
"FileHash-SHA256": 38,
"hostname": 52,
"URL": 39,
"domain": 10
},
"indicator_count": 180,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b4a2620d4d557263906d13",
"name": "VirusTotal report\n for sysdiag-all-x64-6.0.8.5-2026.01.11.1.exe",
"description": "See my summary of last report. Likely remeasures sandboxed environments making scores lower. (speculation)",
"modified": "2026-04-12T23:35:46.239000",
"created": "2026-03-13T23:48:50.318000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 32,
"FileHash-MD5": 24,
"FileHash-SHA1": 24,
"FileHash-SHA256": 138,
"domain": 11,
"hostname": 27,
"email": 2
},
"indicator_count": 258,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b1fe81a036fb6a5d7fe16c",
"name": "VirusTotal report\n for executable.exe",
"description": "",
"modified": "2026-04-10T23:06:53.889000",
"created": "2026-03-11T23:45:05.153000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 1,
"URL": 14,
"hostname": 7,
"domain": 4
},
"indicator_count": 28,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d6e664f3469eb0ca747caf",
"name": "CAPE Sandbox",
"description": "A Malware Analysis Service (MZP) sample has been found on a Windows operating system, and the results are published on the BBC News website and BBC World News app, as well as online.> Zenbox does not pick this up as Cape and juju do, noting for QA analysis. Mitre Signatures\n52. Interesting: \n3Planesoft Screensaver Manager\nMore info\nhttps://www.3planesoft.com",
"modified": "2026-04-08T23:51:41.181000",
"created": "2026-04-08T23:36:04.116000",
"tags": [
"registry keys",
"nothing",
"localsm05880168",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"read files",
"apis nothing",
"windows sandbox",
"calls clear",
"pe file",
"sample",
"mitre attack",
"network info",
"contains",
"aslr",
"program",
"t1055 process",
"overview",
"processes extra",
"code",
"delphi",
"next",
"resolutions",
"ip traffic",
"registry value",
"encoding",
"registry key",
"evasion b0002",
"evasion b0003",
"f0001",
"analysis ob0002",
"packing f0001",
"screen capture",
"e1113 winapi",
"one drive"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691312&Signature=vEpYxY%2F4CQmF6hT9MCtv1Rt%2Bej2RQWoV49iHYR0etU9QOMDDvNac0Ad54ONwSUM6Rkm1EHnxUImDAPsR0fVybpNRv8rtsyQ56YcSqkrni7bUUTWuUuvSEes6f2XiIpynJVCz2yjMlhbihI6eRkw%2FybsHFV%2B1EvWH5IxHIyxtkcgQOB44dpzDGE9mgZHwMB2fup%2BboFRgeKxLHkqzWmbvcFvBaNv5jRgcIcFceBxhuxN%2FzPmGnk",
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691344&Signature=A2cVxTc9%2BKZZCD2SmoAjI0aXbPY22pk7I1QJy7R2y%2BRsrLX92hzFv68Vi7comdtal%2Fuh3W7CMuZ8hDgp78Pw8zje7Q2YzJcR8JDI68PDoDzY8jcybL8TnZmww8R%2BGrhifWwAk4YtGpL0ed9eQq25Bll1Iblvwmlvf%2BeNmKXDLE4Z9tnexW3rEF9Cn%2F3%2FEot5fy94kXVZuuiiZo26%2FeB9gHka1Kfjdj%2FfJPnTKy",
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691373&Signature=tGkOgGIRwglmNlZyyJdH94zuGYX%2FS9d2N3Cuz779NTCxbmiabKdLUVC4suOPbJVvGO0v%2BgRtbJbM%2B6ZDa1%2FsA2%2BJXpHt3kThSLLFxLGbIXPApvtgejn%2FLf5yA7kly76P0rzFE3e1ZH1F3tZtuzqswLr15vKv0fMWHVQgeVUjjCCcyBLQUbAPNU%2Bm34r%2BidTop8LXgsvM%2BdG9a2Cr6gk2fwCVyHmO6WAdPM1yY7lmOx3ysTWADRpt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 43,
"FileHash-MD5": 115,
"FileHash-SHA1": 89,
"FileHash-SHA256": 311,
"URL": 42,
"hostname": 55,
"domain": 3
},
"indicator_count": 658,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d1396bb42208f8aa25b8ae",
"name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable",
"description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.",
"modified": "2026-04-04T16:16:43.680000",
"created": "2026-04-04T16:16:43.680000",
"tags": [
"binary",
"yara rule",
"binary file",
"yara",
"pe section",
"av detections",
"ip address",
"url analysis",
"urls",
"singapore",
"singapore asn",
"as14061",
"edgeview drive",
"suite",
"broomfield",
"colorado",
"key usage",
"handle",
"v3 serial",
"number",
"cert validity",
"asia pacific",
"traefik default",
"cert",
"thumbprint",
"name",
"all filehash",
"learn",
"adversaries",
"calls",
"ck id",
"name tactics",
"suspicious",
"informative",
"reads",
"defense evasion",
"loads",
"model",
"call",
"getprocaddress",
"span",
"path",
"mitre att",
"ck matrix",
"access type",
"value",
"windir",
"open",
"error",
"click",
"contact",
"meta",
"april",
"hybrid",
"format",
"strings",
"united",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"status",
"fastest privacy",
"first dns",
"trojan",
"pegasus",
"title",
"dynamicloader",
"ms windows",
"intel",
"pe32 executable",
"win32",
"medium",
"pe32",
"high",
"mozilla",
"delphi",
"injectdll",
"write",
"malware",
"observer",
"stream",
"unknown",
"lredmond",
"stwa",
"omicrosoft",
"stwashington",
"server ca",
"https domain",
"accept",
"read c",
"ogoogle trust",
"worm",
"code",
"td td",
"td tr",
"a td",
"dynamic dns",
"name servers",
"arial",
"zeppelin",
"null",
"enough",
"hosts",
"fast",
"tls sni",
"cloudflare dns",
"google dns",
"showing",
"get icarus",
"show",
"ascii text",
"global",
"next",
"cc fd",
"d4 dc",
"a3 ad",
"a8 c7",
"bb c7",
"f0 f1",
"f4 ca",
"bc a1",
"win64",
"local",
"otx logo",
"hostname",
"passive dns",
"files",
"less",
"related tags",
"servers",
"certificate",
"domain",
"cloudflare",
"khtml",
"gecko",
"ids detections",
"yara detections",
"ip lookup",
"encrypt",
"elf executable",
"sysv",
"linux",
"elf64 operation",
"unix",
"exec amd6464",
"elf geomi",
"modify system",
"process l",
"t1543",
"systemd service",
"ta0004",
"techniques",
"process create",
"modify syst",
"t1036 indicator",
"remc t1070",
"file",
"directoi t1222",
"t1027 masquerac",
"t1070",
"data upload",
"extraction",
"failed",
"ta0005",
"t1027",
"memory pattern",
"domains",
"dns resolutions",
"full reports",
"v ip",
"traffic tcp",
"g sh",
"c tmpsample",
"binrm f",
"usrbinid id",
"usrbinsystemctl",
"proc1environ",
"proccpuinfo",
"include",
"review exclude",
"sample",
"https",
"performs dns",
"tls version",
"mitre attack",
"network info",
"file type",
"persistence",
"include review",
"exclude sugges",
"find s",
"unique ru",
"review occ",
"exclude data",
"alvoes",
"include data",
"suggest",
"find c",
"typ filet",
"filet ce",
"layer protocol",
"http performs",
"reads cpu",
"proc indicative",
"filet filet",
"pulse",
"file hach",
"h1256",
"filer data",
"typ data",
"filer filehuon",
"filet filer",
"exchange all",
"typ no",
"no entri",
"exclude",
"suggested ocs",
"manualy",
"hua muicalul",
"find",
"indicatore",
"typ innicatad",
"new threat",
"dive into",
"zergeca botnet",
"reference",
"report publish",
"zergeca",
"all se",
"matches edolavd",
"matches data",
"matches matches",
"type",
"extr",
"tico data",
"get hello",
"mirai variant",
"useragent",
"hello",
"outbound",
"world",
"search",
"hackingtrio ua",
"inbound",
"mirai",
"info",
"shell",
"pulse pulses",
"files ip",
"address domain",
"ip related",
"labs pulses",
"pulses",
"post",
"http traffic",
"tocstut",
"reference id",
"xor key",
"canada",
"america",
"germany",
"doh",
"ddos",
"botnet",
"en",
"xor",
"twitter",
"stop",
"loader",
"downloader",
"zerg",
"mirai",
"golang",
"c2 resolution",
"germany",
"c2 ip",
"virustotal",
"smux",
"ck ids",
"t1082",
"applescript",
"t1190",
"application",
"private server",
"t1609",
"command",
"unix shell",
"software supply",
"service",
"chain",
"t1499",
"entries",
"otx telemetry",
"next associated",
"backdoor",
"detections",
"sha256 add",
"alerts",
"heur",
"all domain",
"creation date",
"record value",
"aaaa",
"date",
"unknown ns",
"ponmocup post",
"infection dns",
"mtb nov",
"ipv4 add",
"external ip",
"copy"
],
"references": [
"www.joewa.com",
"Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name",
"Yara Detections: MacSync_AppleScript_Stealer , UPX ,",
"Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/",
"Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena/",
"Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more",
"Loads modules at runtime Looks up procedures from modules",
"(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007",
"https://cloudflare-dns.com/dns | cloudflare-dns.com",
"https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522",
"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com",
"https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f",
"6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)",
"\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca",
"\u2018Can't access file\u2019[Found in Zergeca Botnet]",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections",
"IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56",
"Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org",
"Crowdsourced SIGMA Below:",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS Below:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Unique rule identifier: This rule belongs to a private collection.",
"geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi",
"https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO",
"Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/",
"crypto-pool.fr",
"i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645",
"Muslims have built, supported, and assisted. or Muslims: Support and Solidarity",
"LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado",
"IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST",
"IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)",
"IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)",
"IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)",
"IDS: Observed Suspicious UA (Hello, World)",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,",
"Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: cape_detected_threat",
"IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184",
"IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248",
"Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]",
"https://dns.google/resolve?name=SELECT",
"31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]",
"multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]",
"84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]",
"Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets",
"Since September 2023, according to an analysis by cyber security firm XLab CTIA.",
"Address shows an place of origin: Broomfield , Co",
"Believed to be originating from Germany and Russia",
"BGP Hurricane Electric seen",
"Potentially Pegasus related . Found to be affecting an IOS device",
"Indicators seen may have affected a few OTX users. Is ongoing",
"Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple",
"This pulse is so huge it\u2019s a mess. Will break down."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Thailand",
"Germany",
"Canada"
],
"malware_families": [
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"target": null
},
{
"id": "Trojan.Sagnt/R011c0dfs24",
"display_name": "Trojan.Sagnt/R011c0dfs24",
"target": null
},
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "Unix.Trojan.Mirai",
"display_name": "Unix.Trojan.Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7669677-0",
"display_name": "Unix.Trojan.Mirai-7669677-0",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1590.005",
"name": "IP Addresses",
"display_name": "T1590.005 - IP Addresses"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1056.004",
"name": "Credential API Hooking",
"display_name": "T1056.004 - Credential API Hooking"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1608.002",
"name": "Upload Tool",
"display_name": "T1608.002 - Upload Tool"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1499",
"name": "Endpoint Denial of Service",
"display_name": "T1499 - Endpoint Denial of Service"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1609",
"name": "Container Administration Command",
"display_name": "T1609 - Container Administration Command"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1195.002",
"name": "Compromise Software Supply Chain",
"display_name": "T1195.002 - Compromise Software Supply Chain"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1583.003",
"name": "Virtual Private Server",
"display_name": "T1583.003 - Virtual Private Server"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 795,
"FileHash-SHA1": 648,
"FileHash-SHA256": 3708,
"IPv4": 294,
"URL": 2587,
"domain": 739,
"hostname": 1129,
"email": 14,
"CIDR": 15,
"IPv6": 27,
"SSLCertFingerprint": 18,
"CVE": 4
},
"indicator_count": 9978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "15 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d1395ab63bf8e8d2c384eb",
"name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable",
"description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.",
"modified": "2026-04-04T16:16:26.128000",
"created": "2026-04-04T16:16:26.128000",
"tags": [
"binary",
"yara rule",
"binary file",
"yara",
"pe section",
"av detections",
"ip address",
"url analysis",
"urls",
"singapore",
"singapore asn",
"as14061",
"edgeview drive",
"suite",
"broomfield",
"colorado",
"key usage",
"handle",
"v3 serial",
"number",
"cert validity",
"asia pacific",
"traefik default",
"cert",
"thumbprint",
"name",
"all filehash",
"learn",
"adversaries",
"calls",
"ck id",
"name tactics",
"suspicious",
"informative",
"reads",
"defense evasion",
"loads",
"model",
"call",
"getprocaddress",
"span",
"path",
"mitre att",
"ck matrix",
"access type",
"value",
"windir",
"open",
"error",
"click",
"contact",
"meta",
"april",
"hybrid",
"format",
"strings",
"united",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"status",
"fastest privacy",
"first dns",
"trojan",
"pegasus",
"title",
"dynamicloader",
"ms windows",
"intel",
"pe32 executable",
"win32",
"medium",
"pe32",
"high",
"mozilla",
"delphi",
"injectdll",
"write",
"malware",
"observer",
"stream",
"unknown",
"lredmond",
"stwa",
"omicrosoft",
"stwashington",
"server ca",
"https domain",
"accept",
"read c",
"ogoogle trust",
"worm",
"code",
"td td",
"td tr",
"a td",
"dynamic dns",
"name servers",
"arial",
"zeppelin",
"null",
"enough",
"hosts",
"fast",
"tls sni",
"cloudflare dns",
"google dns",
"showing",
"get icarus",
"show",
"ascii text",
"global",
"next",
"cc fd",
"d4 dc",
"a3 ad",
"a8 c7",
"bb c7",
"f0 f1",
"f4 ca",
"bc a1",
"win64",
"local",
"otx logo",
"hostname",
"passive dns",
"files",
"less",
"related tags",
"servers",
"certificate",
"domain",
"cloudflare",
"khtml",
"gecko",
"ids detections",
"yara detections",
"ip lookup",
"encrypt",
"elf executable",
"sysv",
"linux",
"elf64 operation",
"unix",
"exec amd6464",
"elf geomi",
"modify system",
"process l",
"t1543",
"systemd service",
"ta0004",
"techniques",
"process create",
"modify syst",
"t1036 indicator",
"remc t1070",
"file",
"directoi t1222",
"t1027 masquerac",
"t1070",
"data upload",
"extraction",
"failed",
"ta0005",
"t1027",
"memory pattern",
"domains",
"dns resolutions",
"full reports",
"v ip",
"traffic tcp",
"g sh",
"c tmpsample",
"binrm f",
"usrbinid id",
"usrbinsystemctl",
"proc1environ",
"proccpuinfo",
"include",
"review exclude",
"sample",
"https",
"performs dns",
"tls version",
"mitre attack",
"network info",
"file type",
"persistence",
"include review",
"exclude sugges",
"find s",
"unique ru",
"review occ",
"exclude data",
"alvoes",
"include data",
"suggest",
"find c",
"typ filet",
"filet ce",
"layer protocol",
"http performs",
"reads cpu",
"proc indicative",
"filet filet",
"pulse",
"file hach",
"h1256",
"filer data",
"typ data",
"filer filehuon",
"filet filer",
"exchange all",
"typ no",
"no entri",
"exclude",
"suggested ocs",
"manualy",
"hua muicalul",
"find",
"indicatore",
"typ innicatad",
"new threat",
"dive into",
"zergeca botnet",
"reference",
"report publish",
"zergeca",
"all se",
"matches edolavd",
"matches data",
"matches matches",
"type",
"extr",
"tico data",
"get hello",
"mirai variant",
"useragent",
"hello",
"outbound",
"world",
"search",
"hackingtrio ua",
"inbound",
"mirai",
"info",
"shell",
"pulse pulses",
"files ip",
"address domain",
"ip related",
"labs pulses",
"pulses",
"post",
"http traffic",
"tocstut",
"reference id",
"xor key",
"canada",
"america",
"germany",
"doh",
"ddos",
"botnet",
"en",
"xor",
"twitter",
"stop",
"loader",
"downloader",
"zerg",
"mirai",
"golang",
"c2 resolution",
"germany",
"c2 ip",
"virustotal",
"smux",
"ck ids",
"t1082",
"applescript",
"t1190",
"application",
"private server",
"t1609",
"command",
"unix shell",
"software supply",
"service",
"chain",
"t1499",
"entries",
"otx telemetry",
"next associated",
"backdoor",
"detections",
"sha256 add",
"alerts",
"heur",
"all domain",
"creation date",
"record value",
"aaaa",
"date",
"unknown ns",
"ponmocup post",
"infection dns",
"mtb nov",
"ipv4 add",
"external ip",
"copy"
],
"references": [
"www.joewa.com",
"Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name",
"Yara Detections: MacSync_AppleScript_Stealer , UPX ,",
"Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/",
"Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena/",
"Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more",
"Loads modules at runtime Looks up procedures from modules",
"(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007",
"https://cloudflare-dns.com/dns | cloudflare-dns.com",
"https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522",
"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com",
"https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f",
"6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)",
"\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca",
"\u2018Can't access file\u2019[Found in Zergeca Botnet]",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections",
"IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56",
"Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org",
"Crowdsourced SIGMA Below:",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS Below:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Unique rule identifier: This rule belongs to a private collection.",
"geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi",
"https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO",
"Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/",
"crypto-pool.fr",
"i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645",
"Muslims have built, supported, and assisted. or Muslims: Support and Solidarity",
"LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado",
"IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST",
"IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)",
"IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)",
"IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)",
"IDS: Observed Suspicious UA (Hello, World)",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,",
"Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: cape_detected_threat",
"IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184",
"IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248",
"Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]",
"https://dns.google/resolve?name=SELECT",
"31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]",
"multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]",
"84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]",
"Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets",
"Since September 2023, according to an analysis by cyber security firm XLab CTIA.",
"Address shows an place of origin: Broomfield , Co",
"Believed to be originating from Germany and Russia",
"BGP Hurricane Electric seen",
"Potentially Pegasus related . Found to be affecting an IOS device",
"Indicators seen may have affected a few OTX users. Is ongoing",
"Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple",
"This pulse is so huge it\u2019s a mess. Will break down."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Thailand",
"Germany",
"Canada"
],
"malware_families": [
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"target": null
},
{
"id": "Trojan.Sagnt/R011c0dfs24",
"display_name": "Trojan.Sagnt/R011c0dfs24",
"target": null
},
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "Unix.Trojan.Mirai",
"display_name": "Unix.Trojan.Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7669677-0",
"display_name": "Unix.Trojan.Mirai-7669677-0",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1590.005",
"name": "IP Addresses",
"display_name": "T1590.005 - IP Addresses"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1056.004",
"name": "Credential API Hooking",
"display_name": "T1056.004 - Credential API Hooking"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1608.002",
"name": "Upload Tool",
"display_name": "T1608.002 - Upload Tool"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1499",
"name": "Endpoint Denial of Service",
"display_name": "T1499 - Endpoint Denial of Service"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1609",
"name": "Container Administration Command",
"display_name": "T1609 - Container Administration Command"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1195.002",
"name": "Compromise Software Supply Chain",
"display_name": "T1195.002 - Compromise Software Supply Chain"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1583.003",
"name": "Virtual Private Server",
"display_name": "T1583.003 - Virtual Private Server"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 795,
"FileHash-SHA1": 648,
"FileHash-SHA256": 3708,
"IPv4": 294,
"URL": 2587,
"domain": 739,
"hostname": 1129,
"email": 14,
"CIDR": 15,
"IPv6": 27,
"SSLCertFingerprint": 18,
"CVE": 4
},
"indicator_count": 9978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "15 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ca9cdb34719e60c191a081",
"name": "VirusTotal report\n for avast_business_agent_setup_online.exe",
"description": "",
"modified": "2026-03-30T15:57:49.501000",
"created": "2026-03-30T15:55:06.985000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 72,
"FileHash-MD5": 66,
"FileHash-SHA1": 66,
"FileHash-SHA256": 226,
"IPv4": 2,
"domain": 7,
"hostname": 41
},
"indicator_count": 480,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "20 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69ba323e496a545a7a74d91b",
"name": "SecondWrite DeepView - 2d68755335776e3de28fcd1757b7dcc07688b31c37205ce2324d92c2f419c6f0",
"description": "",
"modified": "2026-03-18T05:04:36.073000",
"created": "2026-03-18T05:03:58.128000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 2,
"URL": 18,
"domain": 2,
"hostname": 10
},
"indicator_count": 36,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "32 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a5c36b78ed73550bb0bf22",
"name": "by Disable_Duck",
"description": "",
"modified": "2026-03-04T23:37:24.208000",
"created": "2026-03-02T17:05:47.288000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB",
"TLS/SSL Crawler",
"CVE-2026-24061 Attempt",
"Generic IoT Default Password Attempt",
"Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
"Dahua Backdoor Attempt",
"ENV Crawler",
"DCERPC Protocol",
"Carries HTTP Referer",
"GNU Inetutils Telnetd Auth Bypass",
"ICMPv4 Protocol"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)",
"Argentina",
"Switzerland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6901363c4ce422f5caf0f72c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 996,
"domain": 987,
"hostname": 3306,
"email": 4,
"CVE": 1
},
"indicator_count": 27048,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "45 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6afd744c55bd596ed6e",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:27.248000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d69ecbc0497f97e28618",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:10.502000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6976d6a601f06adcd1ed22fc",
"name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)",
"description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello",
"modified": "2026-02-25T02:03:02.441000",
"created": "2026-01-26T02:51:18.022000",
"tags": [
"united",
"error",
"port",
"destination",
"host",
"tlsv1",
"intel",
"ms windows",
"worm",
"delphi",
"write",
"malware",
"suspicious",
"autorun",
"bloat",
"checkin",
"google",
"drive",
"cape",
"lowfi",
"hookwowlow dec",
"passive dns",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"twitter",
"trojandropper",
"virtool",
"win32",
"susp",
"hookwowlow",
"injection",
"please",
"x msedge",
"ipv4 add",
"urls",
"dynamicloader",
"windows",
"professional",
"delete c",
"tls issuing",
"x005x00xc0",
"xc0xc0",
"xc0nxc0tx00jx00",
"stwa",
"lredmond",
"explorer",
"powershell",
"accept",
"corporation10",
"trojan",
"pegasus",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present sep",
"present aug",
"redacted for",
"ip address",
"search",
"unknown cname",
"memcommit",
"default",
"sectigo limited",
"read c",
"gb st",
"inprocserver32",
"sectigo public",
"defender",
"next",
"present jan",
"spain",
"domain add",
"files",
"asn as15169",
"flag",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"ck techniques",
"mitre att",
"ck matrix",
"starfield",
"hybrid",
"general",
"path",
"strings",
"extraction",
"data upload",
"failed",
"include review",
"exclude sugges",
"stop data",
"levelblue",
"open threat",
"url https",
"none google",
"url http",
"no expiration",
"iocs",
"domain",
"pdf report",
"pcap",
"stix",
"openioc",
"ocs to",
"exclude",
"suggesteu",
"find s",
"snow",
"aitypes",
"suspicious_redirect",
"url_encoding",
"present dec",
"unknown aaaa",
"present oct",
"record value",
"body",
"encrypt",
"access att",
"link initial",
"ascii text",
"pattern match",
"sha256",
"show technique",
"iframe",
"local",
"united states",
"brian sabey",
"christopher p. ahmann",
"black rock",
"td td",
"td tr",
"a td",
"dynamic dns",
"meta name",
"strong",
"static dns",
"date",
"null",
"enough",
"hosts",
"fast"
],
"references": [
"Sprouts Farmers Market",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Pegasus | A targets devices are obviously infiltrated",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Alerts: cape_detected_threat https_ urls",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"Domains Contacted: drive.usercontent.google.com",
"ConventionEngine_Anomaly_MultiPDB_Double",
"https://jviwczq.zc-apple.com/",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Malware Hosting: 13.107.226.70",
"Scanning Host: 13.107.246.70",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"sprouts@em.sprouts.com?",
"http://blackrock.work.gd/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"supplierportal.gov2x.com",
"http://wonporn.com/top/Pakistani_Sucking",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"supply.qld.gov.au",
"okta-dev.gov2x.com",
"verify.gov.tl",
"api.optimizer.insitemaxdev.gov2x.com",
"iot.insitemaxdev.gov2x.com",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"freedns.afraid.org",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Sabey , Ahmann, Quasi Government, Government"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFI:HookwowLow",
"display_name": "#LowFI:HookwowLow",
"target": null
},
{
"id": "Win.Trojan.CobaltStrike-9044898-1",
"display_name": "Win.Trojan.CobaltStrike-9044898-1",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "SLF:Win64/CobPipe.A",
"display_name": "SLF:Win64/CobPipe.A",
"target": "/malware/SLF:Win64/CobPipe.A"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:Trojan:Win32/Anorocuriv.A",
"display_name": "ALF:Trojan:Win32/Anorocuriv.A",
"target": null
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Pushdo-15",
"display_name": "Win.Trojan.Pushdo-15",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "Win32:Trojano-CHF\\ [Trj]",
"display_name": "Win32:Trojano-CHF\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.3867-1",
"display_name": "Win.Downloader.3867-1",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Susp]",
"display_name": "Win32:Evo-gen\\ [Susp]",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.gen!AH",
"display_name": "Virtool:Win32/CeeInject.gen!AH",
"target": "/malware/Virtool:Win32/CeeInject.gen!AH"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1003.003",
"name": "NTDS",
"display_name": "T1003.003 - NTDS"
},
{
"id": "T1055.008",
"name": "Ptrace System Calls",
"display_name": "T1055.008 - Ptrace System Calls"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1564.005",
"name": "Hidden File System",
"display_name": "T1564.005 - Hidden File System"
}
],
"industries": [
"Retail",
"Government",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12640,
"hostname": 4429,
"email": 7,
"domain": 1250,
"FileHash-SHA256": 1633,
"FileHash-MD5": 278,
"FileHash-SHA1": 343,
"SSLCertFingerprint": 17
},
"indicator_count": 20597,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "53 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6901363c4ce422f5caf0f72c",
"name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
"description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
"modified": "2026-02-18T05:00:41.494000",
"created": "2025-10-28T21:31:40.008000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 995,
"domain": 984,
"hostname": 3305,
"email": 4
},
"indicator_count": 27042,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "60 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6963596c4cd594b77b4675ec",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ",
"description": "",
"modified": "2026-02-10T06:05:39.764000",
"created": "2026-01-11T08:03:56.534000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": "693cdc5b8ebc10664439c2fb",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693cdc5b8ebc10664439c2fb",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado",
"description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.",
"modified": "2026-02-10T06:05:39.764000",
"created": "2025-12-13T03:24:11.414000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6954e4130063ed73e2d19f2c",
"name": "Certificates Dos . zip 2d7df8245c523a5cf3ddeba2290d7aca9ab3c232c3d4f50fc13191bf423e19e6",
"description": "E:\\Suss-SG2\\12.01.25 - Certificates Dos.zip\n\nPicked up by Thor APT Scanner 64 lite",
"modified": "2026-01-30T00:01:11.705000",
"created": "2025-12-31T08:51:31.050000",
"tags": [
"fri dec",
"tue dec",
"malware file",
"scanid",
"sat dec",
"subscore1",
"sigtype1",
"sigclass1",
"rule matched1",
"author1",
"class",
"root",
"code",
"macos",
"agent",
"Certificates",
"MalCerts"
],
"references": [
"2d7df8245c523a5cf3ddeba2290d7aca9ab3c232c3d4f50fc13191bf423e19e6",
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://www.virustotal.com/gui/collection/c180064c3dcd55cc40629fa447f5d6638ebd1149ef5e9b314d98edd1a12c3dd4/iocs"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 422,
"FileHash-SHA1": 806,
"FileHash-SHA256": 462,
"URL": 80,
"email": 2,
"hostname": 38,
"domain": 10
},
"indicator_count": 1820,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "694f0aa090aedc7e498b2e9a",
"name": "Qakbot | *NEW Malware found and analyzed \u2022 IRS",
"description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information. Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.",
"modified": "2026-01-25T21:03:27.507000",
"created": "2025-12-26T22:22:24.480000",
"tags": [
"related tags",
"none google",
"win32",
"united",
"united states",
"irs",
"qakbot",
"qbot",
"inject",
"keylogger",
"botx",
"active",
"bot network",
"et trojan",
"hello ssl",
"destination",
"port",
"unknown",
"ciphersuite",
"sessionid",
"asnone",
"write",
"virustotal",
"drweb",
"vipre",
"mcafee",
"panda",
"malware",
"pandex!gen1",
"et",
"brazil as16625",
"akamai",
"united kingdom",
"dynamicloader",
"medium",
"tls handshake",
"failure",
"yara rule",
"high",
"cape",
"guard",
"error",
"delphi",
"qakbot",
"tlsv1",
"entries",
"iobit unikstall",
"global",
"read c",
"rgba",
"unicode",
"memcommit",
"delete",
"msie",
"windows nt",
"next",
"dock",
"execution",
"server header",
"download",
"suspicious",
"specified",
"logic",
"web products",
"present nov",
"present dec",
"present jun",
"present oct",
"present may",
"aaaa",
"next associated",
"urls show",
"scheme",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"beginstring",
"show process",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"iframe",
"click",
"strings",
"tools",
"title",
"look",
"verify",
"restart",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"adult content",
"lol fun hackers"
],
"references": [
"Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
"IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
"Pandex!gen1 Web Products",
"Crypt3.BXVC IDS: Suspicious double Server Header",
"Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
"Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
"Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
"Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
"Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
"Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
"Crypt3.BXVC IDS: Abuseat.org Block Message",
"Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
"Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
"Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
"Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
"Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
"ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Canada",
"Brazil",
"Ireland",
"India",
"Georgia",
"Singapore",
"Spain",
"Japan"
],
"malware_families": [
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
},
{
"id": "Win.Keylogger.Qbot-9987768-0",
"display_name": "Win.Keylogger.Qbot-9987768-0",
"target": null
},
{
"id": "Win.Trojan.Qakbot-9988002-1",
"display_name": "Win.Trojan.Qakbot-9988002-1",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Web Products",
"display_name": "Web Products",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Finance",
"Government",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 158,
"URL": 140,
"hostname": 287,
"FileHash-SHA256": 85,
"FileHash-MD5": 110,
"FileHash-SHA1": 77,
"SSLCertFingerprint": 8
},
"indicator_count": 865,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "84 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68a23eef53f1124e8dc273fc",
"name": "Sign in to your account - Anorocuriv",
"description": "Short link sent to an iPhone user possibly by accident or maybe not. Unraveled :[https://ns4.whichkill.net/]\n[https://l.us-1.a.mimecastprotect.com/l]\n[https://api-glintstage.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\n\n[https://api.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\t\n\n*api.us1.glintinc.com #malta\n*ALF:Trojan:Win32/Anorocuriv.A.#virtool #LowFI:HookwowLow \n#tracking #tiaa #locate recording #userpics #movies #audio #screen #mobile_assets #https://biccerija.gov.mt/en/contact/",
"modified": "2025-09-16T20:00:00.565000",
"created": "2025-08-17T20:43:27.502000",
"tags": [
"url http",
"url https",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"showing",
"entries",
"status",
"msie",
"chrome",
"passive dns",
"urls",
"date",
"pulse pulses",
"files",
"domain",
"files ip",
"body",
"http",
"hostname",
"files domain",
"present jan",
"present dec",
"united",
"present aug",
"present jun",
"unknown aaaa",
"present mar",
"present may",
"present feb",
"present jul",
"error",
"a domains",
"gmt content",
"accept encoding",
"config nocache",
"hostname add",
"pulse submit",
"content type",
"certificate",
"ip address",
"cookie",
"mita",
"next associated",
"please",
"x msedge",
"ipv4 add",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"size",
"pattern match",
"mitre att",
"ascii text",
"null",
"click",
"august",
"hybrid",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"adversaries",
"ssl certificate",
"logo",
"av detection",
"default browser",
"guest system",
"professional",
"falcon sandbox",
"response risk",
"ck techniques",
"detection",
"show process",
"prefetch8",
"windows nt",
"win64",
"khtml",
"gecko",
"post collect",
"microsoft edge",
"nota",
"brand",
"class",
"facebook",
"ascii",
"hex dump",
"extraction",
"failed",
"data upload",
"pul data",
"enter",
"s data",
"type",
"extr error",
"href",
"mask",
"extra",
"uta support",
"include review",
"exclude sugges",
"find",
"wow64",
"show",
"observed dns",
"query",
"unknown",
"virtool",
"copy",
"write",
"defender",
"expiro",
"malware",
"next",
"lowfi",
"hookwowlow dec",
"mtb jan",
"mtb nov",
"hookwowlow nov",
"trojan",
"trojandropper",
"http request",
"delete",
"yara detections",
"pe exe",
"dll windows",
"minimal http",
"february",
"guard",
"alerts",
"analysis date",
"file score",
"detections alf",
"detections http",
"http executable",
"retrieved",
"location united",
"america flag",
"america asn",
"urls show",
"date checked",
"url hostname",
"server response"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 853,
"hostname": 1835,
"URL": 7127,
"email": 3,
"FileHash-SHA256": 1470,
"FileHash-MD5": 293,
"FileHash-SHA1": 284,
"SSLCertFingerprint": 426,
"CVE": 1
},
"indicator_count": 12292,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "215 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66e87da28b9c1611223c1a6b",
"name": "Telegram - Remote install | log4shell-generic | Botnet | Pegasus Relationship",
"description": "0.0.0.0 Day: Exploiting Localhost APIs From the Browser.\nA root of device issues: \nTarget was remotely subscribed to Telegram 10/23. This phone silently made 2 calls to (380) 222-3333. An activation code for blacklisted t.me/login/***** received by text. Target remembers this occured during sleep. Pegasus relationship. Mirai relationship auto-populated. Reference to new Mirai infection. I didn't find Mirai IoC's\nBrian Hau? Lol, idk about that.\n|| SLFPER:SoftwareBundler:Win32/Dlhelper\n#Lowfi:LUA:AutoItV3CraftedOverlay\nALF:HeraklezEval:Trojan:Win32/Ymacco\nBackdoor:Win32/Tofsee\nMirai\nTEL:Exploit:O97M/CVE-2017-8570\nTofsee\nTrojan:Win32/Glupteba\nTrojan:Win32/Kryptik\nTrojan:Win32/Mydoom\nWin.Packed.Enigma-10023199-0\nWin.Packer.pkr_ce1a-9980177-0\nWin32:PWSX-gen\\ [Trj]",
"modified": "2024-10-16T15:00:45.833000",
"created": "2024-09-16T18:49:06.831000",
"tags": [
"dynamicloader",
"high",
"windows",
"medium",
"grum",
"yara detections",
"contacted",
"installs",
"windows startup",
"application",
"tofsee",
"stream",
"less see",
"copy",
"aaaa",
"virgin islands",
"whitelisted",
"antigua",
"org domains",
"proxy",
"code",
"search",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"body",
"possible",
"mozilla",
"delete c",
"windows nt",
"show",
"owotrus ca",
"limited",
"cnwotrus dv",
"server ca",
"write",
"malware",
"encrypt",
"as36647 oath",
"backdoor",
"trojan",
"all scoreblue",
"ipv4",
"urls",
"ransom",
"trojan features",
"related pulses",
"file samples",
"files matching",
"date hash",
"memcommit",
"read c",
"win32",
"icmp traffic",
"memreserve",
"showing",
"exploit",
"mirai",
"barbuda",
"barbuda unknown",
"hacktool",
"program",
"python",
"macintosh",
"intel mac",
"os x",
"khtml",
"gecko",
"bios",
"guard",
"updater",
"launcher",
"div div",
"span div",
"span svg",
"status",
"bugs",
"span",
"meta",
"path",
"div h3",
"telegram strong",
"a li",
"virtool",
"class",
"tour",
"read",
"delete",
"top source",
"top destination",
"as46606",
"change",
"moved",
"certificate",
"creation date",
"record value",
"suite",
"hostname",
"cookie",
"asnone united",
"as29873",
"cname",
"domain",
"url analysis",
"redacted for",
"script urls",
"a domains",
"as8560",
"germany unknown",
"name servers",
"for privacy",
"files",
"verdict",
"as393245 oath",
"mtb sep",
"servers",
"expiration date",
"overview domain",
"files ip",
"address",
"location united",
"asn as22612",
"whois registrar",
"namecheap inc",
"as22612",
"content type",
"apache",
"secure server",
"dnssec",
"meta http",
"content",
"gmt server",
"litespeed x",
"http scans",
"equiv cache",
"script endif",
"create c",
"wow64",
"slcc2",
"media center",
"write c",
"next",
"dock",
"execution",
"capture",
"xport",
"united kingdom",
"a nxdomain",
"as24940 hetzner",
"emails",
"script script",
"param",
"script",
"ul div",
"global domains",
"international",
"bank",
"agent",
"stack",
"life",
"win32mydoom sep",
"title",
"enigmaprotector",
"dynamic",
"powershell",
"filehash",
"worm",
"a div",
"all search",
"lowfi",
"copyright",
"as54994 quantil",
"as15169",
"virustotal",
"drweb",
"vipre",
"downloader",
"panda",
"local",
"dns replication",
"technology",
"server",
"privacy billing",
"email",
"registrar abuse",
"organization",
"privacy tech",
"privacy admin",
"algorithm",
"first",
"v3 serial",
"number",
"cus ogoogle",
"trust",
"cnwe1 validity",
"subject public",
"key info",
"key algorithm",
"scan endpoints",
"pulse pulses",
"federation asn",
"as49505",
"labs pulses",
"internet",
"iana",
"city",
"los angeles",
"orgabusephone",
"orgid",
"iana ref",
"orgtechhandle",
"iana special",
"103.28.36.182",
"pegasus",
"103.224.212.222",
"103.129.252.44",
"162.0.215.111",
"apple",
"apple-access.com",
"as8075",
"date",
"phishing",
"csam",
"pii",
"piiexposure",
"flag",
"domain address",
"llc name",
"contacted hosts",
"ip address",
"process details"
],
"references": [
"Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP",
"Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034",
"Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks",
"Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services",
"Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request",
"*WEBSITE.WS Your Internet Address For Life",
"Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection",
"Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States",
"IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)",
"User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension",
"ASN AS13335 cloudflare DNS Resolutions",
"0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org",
"IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading",
"federallegionconnbot.t.me",
"thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn",
"pegasusintel.com",
"appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net",
"log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com",
"Alleged CSAM Alleged Phishing Alleged PIIExposure",
"https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
},
{
"id": "Win32:PWSX-gen\\ [Trj]",
"display_name": "Win32:PWSX-gen\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Trojan:Win32/Glupteba",
"display_name": "Trojan:Win32/Glupteba",
"target": "/malware/Trojan:Win32/Glupteba"
},
{
"id": "Trojan:Win32/Kryptik",
"display_name": "Trojan:Win32/Kryptik",
"target": "/malware/Trojan:Win32/Kryptik"
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Win.Packed.Enigma-10023199-0",
"display_name": "Win.Packed.Enigma-10023199-0",
"target": null
},
{
"id": "TEL:Exploit:O97M/CVE-2017-8570",
"display_name": "TEL:Exploit:O97M/CVE-2017-8570",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco",
"target": null
},
{
"id": "SLFPER:SoftwareBundler:Win32/Dlhelper",
"display_name": "SLFPER:SoftwareBundler:Win32/Dlhelper",
"target": null
},
{
"id": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1226,
"FileHash-SHA256": 1691,
"FileHash-MD5": 807,
"FileHash-SHA1": 781,
"URL": 429,
"hostname": 1124,
"SSLCertFingerprint": 7,
"CVE": 1,
"email": 16,
"CIDR": 1
},
"indicator_count": 6083,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "550 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66831f04ad169d3b685c9645",
"name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010",
"description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.",
"modified": "2024-10-14T20:36:07.924000",
"created": "2024-07-01T21:26:27.623000",
"tags": [
"no expiration",
"filehashsha256",
"hacktool",
"expiration",
"win32autokms no",
"filehashmd5",
"filehashsha1",
"virus",
"sha1",
"win32",
"trojan",
"ransom",
"pejzasz",
"vhash",
"imphash",
"ssdeep",
"hash",
"skrt",
"y pkmsauto",
"crlf",
"dodaj",
"hostsettings",
"v wczono",
"t regdword",
"powershell",
"nowy",
"pe32",
"intel",
"ms windows",
"nazwa typ",
"md5 nazwa",
"procesu",
"vs2013",
"rticon neutral",
"compiler",
"submission",
"file version",
"chi2",
"contained",
"authentihash",
"pehash",
"uacme akagi",
"cobalt strike",
"detects",
"roth",
"sliver stagers",
"highvol",
"detects imphash",
"zero",
"virustotal",
"detection rule",
"license",
"arnim rupp",
"whasz",
"github",
"postpuj zgodnie",
"przegld",
"danie id",
"github og",
"url https",
"error",
"toast",
"clientrender",
"date",
"promise",
"65536",
"client env",
"alloy",
"rangeerror",
"staff",
"upx dump",
"security",
"license v2",
"e8 ff",
"fc ff",
"ff ff",
"e8 f7",
"c3 e8",
"e8 db",
"f0 c9",
"c8 ff",
"c9 c3",
"c4 a8",
"a7 ff",
"f1 e8",
"ec c7",
"f0 c0",
"c1 e9",
"ec e8",
"ff e8",
"a3 a4",
"db e2",
"b0 e9",
"e8 ba",
"b9 f3",
"e4 f8",
"ff e9",
"eb ed",
"b6 b3",
"b6 bb",
"c8 f7",
"c6 a8",
"f6 c1",
"b0 d7",
"df e0",
"c4 f0",
"fc e8",
"cf e5",
"f8 ff",
"f7 ff",
"cc cc",
"c3 b8",
"b9 ff",
"ff f3",
"ab aa",
"f7 f9",
"b8 c7",
"be ad",
"ef be",
"ad de",
"e9 cd",
"c4 f4",
"fe ff",
"d1 fa",
"fa fc",
"f3 a6",
"fb ff",
"fc c6",
"fc eb",
"e8 ed",
"fb d1",
"b6 f8",
"c7 c7",
"ec d0",
"b6 d2",
"ff e1",
"c0 ac",
"c1 e3",
"c3 aa",
"c2 c1",
"d3 f7",
"fc c7",
"win32 cabinet",
"selfextractor",
"pecompact",
"yarahub",
"yara",
"repository",
"hub",
"repo",
"malware_onenote_delivery_jan23",
"yara rule",
"team",
"sifalconteam",
"yarahub entry",
"rule details",
"malpedia family",
"rule matching",
"content copy",
"download rule",
"malware",
"cc by",
"vbscript",
"sub autoopen",
"getobject",
"batch"
],
"references": [
"https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js",
"https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23"
],
"public": 1,
"adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 361,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 14732,
"FileHash-MD5": 4316,
"FileHash-SHA1": 3405,
"YARA": 181,
"URL": 4793,
"domain": 1717,
"hostname": 4354,
"IPv4": 107,
"IPv6": 845,
"email": 26,
"CVE": 13,
"FilePath": 1
},
"indicator_count": 34490,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "552 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65c1cdc5d695c35205593bde",
"name": "https://callback.mobileboost.me",
"description": "cobalt strike cnc, malware, network, execution, antivm_queries_computername, tulach, schema abuse, callback, contact, malicious, boost mobile, t-mobile, targets,Tsara, brashears, cyber threat, hacking, sabey, data center, cyber, cp",
"modified": "2024-03-07T05:01:03.052000",
"created": "2024-02-06T06:12:21.372000",
"tags": [
"passive dns",
"urls",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"files",
"domain",
"files ip",
"address domain",
"url https",
"http",
"files domain",
"files related",
"cname",
"united",
"unknown",
"nxdomain",
"a nxdomain",
"ssl certificate",
"contacted",
"whois record",
"resolutions",
"whois whois",
"historical ssl",
"referrer",
"problems",
"execution",
"subdomains",
"startpage",
"simda",
"first",
"utc submissions",
"submitters",
"psiusa",
"domain robot",
"csc corporate",
"domains",
"tucows",
"ltd dba",
"com laude",
"twitter",
"indonesia",
"installer",
"kgs0",
"kls0",
"redlinestealer",
"kangen",
"china telecom",
"group",
"computer",
"company limited",
"summary iocs",
"malware",
"network",
"obz4usfn0 http",
"contacted urls",
"gootloader",
"iframe",
"stus",
"cnus",
"regsetvalueexa",
"cobalt strike",
"search",
"regdword",
"ssl cert",
"tlsv1 apr",
"cobaltstrike",
"trojan",
"copy",
"write",
"june",
"win64",
"porkbun llc",
"mb opera",
"china unicom",
"tmobileas21928",
"graph community",
"china education",
"center",
"showing",
"entries"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1874,
"hostname": 2812,
"URL": 8308,
"FileHash-SHA256": 5549,
"FileHash-MD5": 364,
"FileHash-SHA1": 326,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 19237,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "773 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65afca8042c6fe9412bfa29b",
"name": "Red Team & Law Firm hijack targets Denver, Arizona, Indiana",
"description": "",
"modified": "2024-01-23T14:17:36.291000",
"created": "2024-01-23T14:17:36.291000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65aec0fde095e6b58d81150c",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "817 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65afbae2f2128524e68c4344",
"name": "RED TEAM ",
"description": "",
"modified": "2024-01-23T13:10:58.488000",
"created": "2024-01-23T13:10:58.488000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65aebfa135f9d1d8ba5d74a9",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "craignbmed",
"id": "181999",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_181999/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 45,
"modified_text": "817 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65aec5db33e8f0cb8010282c",
"name": "Dark Angels Newest Threat -ESXi Ransomware [Pulse created by another user]",
"description": "",
"modified": "2024-01-22T19:45:31.378000",
"created": "2024-01-22T19:45:31.378000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65aec0fde095e6b58d81150c",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "818 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65aec0fde095e6b58d81150c",
"name": "Red Team & Law Firm attack target [copy users pulse] Denver, Arizona, Indiana, Germany",
"description": "",
"modified": "2024-01-22T19:24:45.664000",
"created": "2024-01-22T19:24:45.664000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65aebfa135f9d1d8ba5d74a9",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "818 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65aebfa135f9d1d8ba5d74a9",
"name": "Red Team - Cyber Security Defense Team attacking individuals for Attorney [copy]",
"description": "",
"modified": "2024-01-22T19:18:57.869000",
"created": "2024-01-22T19:18:57.869000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65709f9a3d87b76cacd54245",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "818 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658ef7e1acd8561bef76bf35",
"name": "Stealth Network | Malware. [Pulse by OctoSeek]",
"description": "",
"modified": "2023-12-29T16:46:25.442000",
"created": "2023-12-29T16:46:25.442000",
"tags": [
"win64",
"copy",
"entries",
"read",
"write",
"delete",
"scan endpoints",
"all octoseek",
"filehash",
"pulse pulses",
"malware",
"guard",
"april",
"dynamicloader",
"dynamic",
"high priority",
"hashes c2ae",
"capa",
"evasive",
"create mutex",
"executable",
"vhash",
"imphash",
"rich pe",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"trid win64",
"win16 ne",
"compiler",
"valid from",
"serial number",
"rsa time",
"aptx software",
"algorithm",
"thumbprint",
"sectigo rsa",
"time stamping",
"stamping signer",
"file",
"stealth timeout",
"setunhandledexceptionfilter",
"name virtual",
"address virtual",
"size raw",
"size entropy",
"md5 chi2",
"unsigned file",
"dynamic function loading",
"antidebug",
"guardpages",
"credit card"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64: MalwareX-gen\\ [Trj)",
"display_name": "Win64: MalwareX-gen\\ [Trj)",
"target": null
},
{
"id": "Trojan.MSIL.Disdroth",
"display_name": "Trojan.MSIL.Disdroth",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "658c8225476c22a1aa7cef50",
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 220,
"FileHash-SHA1": 212,
"FileHash-SHA256": 1003,
"URL": 6,
"domain": 1,
"hostname": 4
},
"indicator_count": 1446,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "842 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658c8225476c22a1aa7cef50",
"name": "Stealth Network | Malware",
"description": "536a463ff37d9cad760e67734de42a4d.virus\n\nCreates file process on Windows, accepts arguments, gains attributes, encrypt data using DPAPI, encode data using Base64, encrypt data using RC4 PRGA, parse credit card information, link function at runtime on Windows, create pipe",
"modified": "2023-12-27T19:59:33.495000",
"created": "2023-12-27T19:59:33.495000",
"tags": [
"win64",
"copy",
"entries",
"read",
"write",
"delete",
"scan endpoints",
"all octoseek",
"filehash",
"pulse pulses",
"malware",
"guard",
"april",
"dynamicloader",
"dynamic",
"high priority",
"hashes c2ae",
"capa",
"evasive",
"create mutex",
"executable",
"vhash",
"imphash",
"rich pe",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"trid win64",
"win16 ne",
"compiler",
"valid from",
"serial number",
"rsa time",
"aptx software",
"algorithm",
"thumbprint",
"sectigo rsa",
"time stamping",
"stamping signer",
"file",
"stealth timeout",
"setunhandledexceptionfilter",
"name virtual",
"address virtual",
"size raw",
"size entropy",
"md5 chi2",
"unsigned file",
"dynamic function loading",
"antidebug",
"guardpages",
"credit card"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win64: MalwareX-gen\\ [Trj)",
"display_name": "Win64: MalwareX-gen\\ [Trj)",
"target": null
},
{
"id": "Trojan.MSIL.Disdroth",
"display_name": "Trojan.MSIL.Disdroth",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 220,
"FileHash-SHA1": 212,
"FileHash-SHA256": 1003,
"URL": 6,
"domain": 1,
"hostname": 4
},
"indicator_count": 1446,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "844 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a4049421d107b6ade1c0",
"name": "",
"description": "",
"modified": "2023-12-06T16:40:36.624000",
"created": "2023-12-06T16:40:36.624000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a3fdf7637f464de729d2",
"name": "Undefined Name",
"description": "",
"modified": "2023-12-06T16:40:29.875000",
"created": "2023-12-06T16:40:29.875000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a3f88930c56241d29c80",
"name": "Spammer",
"description": "",
"modified": "2023-12-06T16:40:24.522000",
"created": "2023-12-06T16:40:24.522000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a3f24e8fd846cc01d23e",
"name": "DGA DOMAIN",
"description": "",
"modified": "2023-12-06T16:40:18.209000",
"created": "2023-12-06T16:40:18.209000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a3ec011405ef6fcd8cb0",
"name": "Passive DNS",
"description": "",
"modified": "2023-12-06T16:40:12.247000",
"created": "2023-12-06T16:40:12.247000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65709f9a3d87b76cacd54245",
"name": "Concerning link. Honeypot? Red Team? Privilege Abuse? Probably",
"description": "",
"modified": "2023-12-06T16:21:46.026000",
"created": "2023-12-06T16:21:46.026000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"domain": 1083,
"URL": 4338,
"hostname": 1386,
"FileHash-SHA256": 1740,
"FileHash-SHA1": 83,
"email": 12,
"FileHash-MD5": 96
},
"indicator_count": 8740,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653fd47a852cc130c72de9e5",
"name": "BGP.Tools",
"description": "",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T16:06:18.567000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653f4d0c4cca0c5f58530600",
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f4d0c4cca0c5f58530600",
"name": "BGP.Tools",
"description": "BGP is a very malicious, developed spyware tool. Attorneys, insurance companies use tool. BGP Hurricane. In the past they will call target and a modem connects draining ALL content. It can CNC device, erase everything from it, manipulate dropbox as well as other clouds. Very destructive.Once you're a target your privacy is gone for good. Assertions from threat crowd that CISA/Valmet are government phishing entities concerns me. BGP gets a 100% malicious score. Listed as part of infrastructure is CISA. A familiar name in adult content and other commands, vulnerabilities,etc. I'm not sure what to believe, or what's going on.",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T06:28:28.160000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64ff7c709c8a4e9c777c77fb",
"name": " ",
"description": "",
"modified": "2023-09-11T20:45:36.974000",
"created": "2023-09-11T20:45:36.974000",
"tags": [
"united",
"script urls",
"path max",
"age86400 set",
"cookie",
"passive dns",
"urls",
"creation date",
"search",
"record value",
"unknown",
"date",
"body",
"domain related",
"status",
"value dnssec",
"domain name",
"expiration date",
"llc state",
"arizona status",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64ff7c5912f586a9a6f1d051",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1556,
"hostname": 1962,
"URL": 5396,
"email": 23,
"FileHash-SHA256": 2497,
"FileHash-MD5": 193,
"FileHash-SHA1": 163,
"CVE": 2
},
"indicator_count": 11792,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "951 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64ff7c5912f586a9a6f1d051",
"name": " '_'",
"description": "",
"modified": "2023-09-11T20:45:13.685000",
"created": "2023-09-11T20:45:13.685000",
"tags": [
"united",
"script urls",
"path max",
"age86400 set",
"cookie",
"passive dns",
"urls",
"creation date",
"search",
"record value",
"unknown",
"date",
"body",
"domain related",
"status",
"value dnssec",
"domain name",
"expiration date",
"llc state",
"arizona status",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64ff7c3e317fca955b512771",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1556,
"hostname": 1962,
"URL": 5396,
"email": 23,
"FileHash-SHA256": 2497,
"FileHash-MD5": 193,
"FileHash-SHA1": 163,
"CVE": 2
},
"indicator_count": 11792,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "951 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64ff7c3e317fca955b512771",
"name": "Spammer ",
"description": "",
"modified": "2023-09-11T20:44:46.122000",
"created": "2023-09-11T20:44:46.122000",
"tags": [
"united",
"script urls",
"path max",
"age86400 set",
"cookie",
"passive dns",
"urls",
"creation date",
"search",
"record value",
"unknown",
"date",
"body",
"domain related",
"status",
"value dnssec",
"domain name",
"expiration date",
"llc state",
"arizona status",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64ff7c15511f0383f74b70e0",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1556,
"hostname": 1962,
"URL": 5396,
"email": 23,
"FileHash-SHA256": 2497,
"FileHash-MD5": 193,
"FileHash-SHA1": 163,
"CVE": 2
},
"indicator_count": 11792,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "951 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64ff7c15511f0383f74b70e0",
"name": "DGA DOMAIN ",
"description": "",
"modified": "2023-09-11T20:44:05.332000",
"created": "2023-09-11T20:44:05.332000",
"tags": [
"united",
"script urls",
"path max",
"age86400 set",
"cookie",
"passive dns",
"urls",
"creation date",
"search",
"record value",
"unknown",
"date",
"body",
"domain related",
"status",
"value dnssec",
"domain name",
"expiration date",
"llc state",
"arizona status",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64ff7b32ed4ca99b3a372173",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1556,
"hostname": 1962,
"URL": 5396,
"email": 23,
"FileHash-SHA256": 2497,
"FileHash-MD5": 193,
"FileHash-SHA1": 163,
"CVE": 2
},
"indicator_count": 11792,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "951 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64ff7b32ed4ca99b3a372173",
"name": "Passive DNS ",
"description": "",
"modified": "2023-09-11T20:40:18.041000",
"created": "2023-09-11T20:40:18.041000",
"tags": [
"united",
"script urls",
"path max",
"age86400 set",
"cookie",
"passive dns",
"urls",
"creation date",
"search",
"record value",
"unknown",
"date",
"body",
"domain related",
"status",
"value dnssec",
"domain name",
"expiration date",
"llc state",
"arizona status",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64d6a36bb35a9bfd13925ed3",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1556,
"hostname": 1962,
"URL": 5396,
"email": 23,
"FileHash-SHA256": 2497,
"FileHash-MD5": 193,
"FileHash-SHA1": 163,
"CVE": 2
},
"indicator_count": 11792,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "951 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64d6a36bb35a9bfd13925ed3",
"name": "Concerning link. Honeypot? Red Team? Privilege Abuse? Probably",
"description": "Hacked from VT by malicious code. Was a malicious link.\n(Not me I'm working alongside a hacker as always: The full text of the full report on the GoDaddy.com website, which was created in 2010, has been released.. and is available to view on www.happylifehappywife.)",
"modified": "2023-09-11T01:03:05.359000",
"created": "2023-08-11T21:08:59.401000",
"tags": [
"united",
"script urls",
"path max",
"age86400 set",
"cookie",
"passive dns",
"urls",
"creation date",
"search",
"record value",
"unknown",
"date",
"body",
"domain related",
"status",
"value dnssec",
"domain name",
"expiration date",
"llc state",
"arizona status",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1556,
"hostname": 1962,
"URL": 5396,
"email": 23,
"FileHash-SHA256": 2497,
"FileHash-MD5": 193,
"FileHash-SHA1": 163,
"CVE": 2
},
"indicator_count": 11792,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "951 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
"endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2",
"Believed to be originating from Germany and Russia",
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name",
"Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request",
"Crowdsourced SIGMA Below:",
"Alerts: cape_detected_threat",
"howtoworkacrickoutofyourneck2.pages.dev",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/",
"Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]",
"User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension",
"Crypt3.BXVC IDS: Abuseat.org Block Message",
"Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
"Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more",
"https://clear.ml/infrastructure-control-plane",
"http://wonporn.com/top/Pakistani_Sucking",
"crypto-pool.fr",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?",
"Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org",
"Yara Detections: MacSync_AppleScript_Stealer , UPX ,",
"federallegionconnbot.t.me",
"Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252",
"IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"Pegasus | A targets devices are obviously infiltrated",
"Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248",
"Unique rule identifier: This rule belongs to a private collection.",
"Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"okta-dev.gov2x.com",
"www.joewa.com",
"https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo",
"Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7",
"0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org",
"https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js",
"https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0",
"\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"\u2018Can't access file\u2019[Found in Zergeca Botnet]",
"Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections",
"https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t",
"IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"ConventionEngine_Anomaly_MultiPDB_Double",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)",
"Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0",
"sprouts@em.sprouts.com?",
"This pulse is so huge it\u2019s a mess. Will break down.",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23",
"Address shows an place of origin: Broomfield , Co",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645",
"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Alerts: cape_detected_threat https_ urls",
"https://cloudflare-dns.com/dns | cloudflare-dns.com",
"http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/",
"https://hello.riskxchange.co/api/mailings/unsubscribe",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af",
"Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP",
"https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,",
"Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog",
"IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56",
"IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"https://www.virustotal.com/gui/collection/c180064c3dcd55cc40629fa447f5d6638ebd1149ef5e9b314d98edd1a12c3dd4/iocs",
"www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com",
"ASN AS13335 cloudflare DNS Resolutions",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"Domains Contacted: drive.usercontent.google.com",
"Crypt3.BXVC IDS: Suspicious double Server Header",
"Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/",
"Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Alleged CSAM Alleged Phishing Alleged PIIExposure",
"https://jviwczq.zc-apple.com/",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"IDS: Observed Suspicious UA (Hello, World)",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184",
"firebase-auth-eich0v.pages.dev",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691344&Signature=A2cVxTc9%2BKZZCD2SmoAjI0aXbPY22pk7I1QJy7R2y%2BRsrLX92hzFv68Vi7comdtal%2Fuh3W7CMuZ8hDgp78Pw8zje7Q2YzJcR8JDI68PDoDzY8jcybL8TnZmww8R%2BGrhifWwAk4YtGpL0ed9eQq25Bll1Iblvwmlvf%2BeNmKXDLE4Z9tnexW3rEF9Cn%2F3%2FEot5fy94kXVZuuiiZo26%2FeB9gHka1Kfjdj%2FfJPnTKy",
"2d7df8245c523a5cf3ddeba2290d7aca9ab3c232c3d4f50fc13191bf423e19e6",
"pegasusintel.com",
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691373&Signature=tGkOgGIRwglmNlZyyJdH94zuGYX%2FS9d2N3Cuz779NTCxbmiabKdLUVC4suOPbJVvGO0v%2BgRtbJbM%2B6ZDa1%2FsA2%2BJXpHt3kThSLLFxLGbIXPApvtgejn%2FLf5yA7kly76P0rzFE3e1ZH1F3tZtuzqswLr15vKv0fMWHVQgeVUjjCCcyBLQUbAPNU%2Bm34r%2BidTop8LXgsvM%2BdG9a2Cr6gk2fwCVyHmO6WAdPM1yY7lmOx3ysTWADRpt",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]",
"https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,",
"Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,",
"Potentially Pegasus related . Found to be affecting an IOS device",
"IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading",
"api.optimizer.insitemaxdev.gov2x.com",
"https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/",
"Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO",
"pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com",
"http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522",
"BGP Hurricane Electric seen",
"IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"verify.gov.tl",
"https://kb.drakesoftware.com/Site/Browse/15183/State",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt",
"Indicators seen may have affected a few OTX users. Is ongoing",
"IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)",
"supply.qld.gov.au",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"Sprouts Farmers Market",
"Attacks are being carried out by The State of Colorado",
"Pandex!gen1 Web Products",
"http://blackrock.work.gd/",
"supplierportal.gov2x.com",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW",
"Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD",
"LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado",
"IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST",
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"Sabey , Ahmann, Quasi Government, Government",
"multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Muslims have built, supported, and assisted. or Muslims: Support and Solidarity",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"*WEBSITE.WS Your Internet Address For Life",
"iot.insitemaxdev.gov2x.com",
"31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]",
"https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"https://khmerpornvideo.signup0.y.id/",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple",
"Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
"Since September 2023, according to an analysis by cyber security firm XLab CTIA.",
"Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
"Crowdsourced IDS Below:",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16",
"https://blackbox-exporter.lenovo-k8s.home.local.advena/",
"Scanning Host: 13.107.246.70",
"Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections",
"Loads modules at runtime Looks up procedures from modules",
"endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/",
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691312&Signature=vEpYxY%2F4CQmF6hT9MCtv1Rt%2Bej2RQWoV49iHYR0etU9QOMDDvNac0Ad54ONwSUM6Rkm1EHnxUImDAPsR0fVybpNRv8rtsyQ56YcSqkrni7bUUTWuUuvSEes6f2XiIpynJVCz2yjMlhbihI6eRkw%2FybsHFV%2B1EvWH5IxHIyxtkcgQOB44dpzDGE9mgZHwMB2fup%2BboFRgeKxLHkqzWmbvcFvBaNv5jRgcIcFceBxhuxN%2FzPmGnk",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/",
"Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com",
"appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net",
"https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303",
"https://dns.google/resolve?name=SELECT",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"freedns.afraid.org",
"Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
"https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2",
"Malware Hosting: 13.107.226.70",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij",
"(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007",
"https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets",
"Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi",
"log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
"IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"@GRAMMERSoft",
"rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri"
],
"malware_families": [
"Cve-2024-6387",
"Win.downloader.3867-1",
"Cycbot",
"Alf:nid:susp_nsis_stub.a",
"Trojandropper:win32/systex.a",
"Sf:shellcode-au\\ [trj]",
"Alf:heraklezeval:trojan:msil/gravityrat!rfn",
"Pegasus",
"Trojan.msil.disdroth",
"Alf:exploit:o97m/cve-2017-8977",
"Slfper:softwarebundler:win32/dlhelper",
"Alf:program:win32/webcompanion",
"Nids",
"Win.packed.enigma-10023199-0",
"Win.trojan.vbgeneric-6735875-0",
"Mirai (elf)",
"Web products",
"Trojandownloader:win32/cutwail.bs",
"Cve-2025-20393",
"Pandex!gen1",
"#lowfi:hookwowlow",
"Win.downloader.small-4507",
"Backdoor:win32/tofsee.t",
"Win.trojan.tepfer-61",
"Trojan:win32/mydoom",
"#lowfi:lua:autoitv3craftedoverlay",
"Unix.trojan.gafgyt-6981154-0",
"Ddos:linux/gafgyt.ya!mtb",
"Win.packer.pkr_ce1a-9980177-0",
"Et",
"Backdoor:win32/tofsee",
"Win32:trojano-chf\\ [trj]",
"#lowfi:hstr:criakl.b1",
"Worm:win32/autorun!atmn",
"Mirai",
"Trojan.sagnt/r011c0dfs24",
"Trojan:win32/qbot.r!mtb",
"Win.malware.salat-10058846-0",
"Tofsee",
"Backdoor:linux/demonbot.aa!mtb",
"Win.trojan.qakbot-9988002-1",
"Worm:win32/mofksys.rnd!mtb",
"Win32:evo-gen\\ [susp]",
"Slf:win64/cobpipe.a",
"Virtool:win32/ceeinject.gen!ah",
"Win32:botx-gen\\ [trj]",
"Win64: malwarex-gen\\ [trj)",
"Win.malware.mikey-9949492-0",
"Tel:exploit:o97m/cve-2017-8570",
"Crypt3.bxvc",
"Unix.trojan.mirai-7669677-0",
"#lowfidetectsvmware",
"Trojan:win32/kryptik",
"Trojandownloader:win32/cutwail",
"Backdoor:win32/arwobot.b",
"Win32:pwsx-gen\\ [trj]",
"Win.trojan.emotet-9850453-0",
"Alf:trojan:win32/anorocuriv.a",
"Alf:jasyp:trojandownloader:win32/smallagent!atmn",
"Win.trojan.pushdo-15",
"Unix.trojan.tsunami-6981155-0",
"Win.trojan.gravityrat-6511862-0",
"Inject2.bive",
"Cve-2018-10562",
"Trojan:win32/glupteba",
"Cve-2017-11882",
"Win.keylogger.qbot-9987768-0",
"Unix.trojan.mirai",
"Worm",
"Trojandownloader:win32/cutwailransom:win32/crowti.a",
"Win.trojan.tofsee-7102058-0",
"Zergeca",
"Cve-2023-22518",
"Ransom:win32/crowti.a",
"Win.packed.bandook-9882274-1",
"Virtool:win32/vbinject.gen!mh",
"Win.trojan.cobaltstrike-9044898-1",
"Alf:heraklezeval:trojan:win32/ymacco"
],
"industries": [
"Healthcare",
"Irs",
"Construction",
"Education",
"Finance",
"Insurance",
"Technology",
"Energy",
"Telecommunications",
"Retail",
"Government"
],
"unique_indicators": 197548
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/sectigo.com",
"whois": "http://whois.domaintools.com/sectigo.com",
"domain": "sectigo.com",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 47,
"pulses": [
{
"id": "69d98d5e88461ed06547690c",
"name": "CAPE ***** GRAMMERsoft. Love Letter ****",
"description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt",
"modified": "2026-04-19T09:05:59.274000",
"created": "2026-04-10T23:53:02.973000",
"tags": [
"cname",
"p2404",
"accept",
"default",
"host",
"strong",
"library",
"p11776139675",
"gmt range",
"p11776090280",
"shutdown",
"generic",
"bits",
"next ur",
"file type",
"ascii text",
"crlf line",
"ms windows",
"pe32",
"drops pe",
"intel",
"yara",
"sigma",
"njrat",
"malicious",
"darkcomet",
"code",
"delphi",
"dbatloader",
"loader",
"fraud",
"notpetya",
"killmbr",
"trojanransom",
"ransomware",
"next",
"settings",
"parent pid",
"full path",
"command line",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"format",
"shell",
"payload",
"kevin",
"revengerat",
"aspack",
"vmprotect",
"meteorite",
"petya",
"infinitylock",
"redline",
"remcos",
"javadropper",
"lokibot",
"guard",
"mono",
"eternalromance",
"exploit",
"badrabbit",
"windows sandbox",
"calls process",
"vbcrlf",
"error resume",
"next dim",
"page",
"loveletter",
"script",
"createobject",
"html",
"meta",
"name",
"title",
"body",
"iloveyou",
"generator",
"philippines",
"loop",
"@grammersoft",
"calls clear",
"ip address",
"cape sandbox",
"bootkit",
"t1055",
"t1497",
"error",
"back",
"pe file",
"network info",
"processes extra",
"sample",
"aslr",
"performs dns",
"t1055 process",
"overview",
"mitre attack",
"overview zenbox",
"none rticon",
"pattern",
"none image",
"file size",
"entity",
"winmm",
"dword",
"locale",
"screensaver",
"alexa",
"stars",
"crypt32",
"ddraw",
"winsta",
"ip traffic",
"lockfile"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp",
"https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2",
"https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t"
],
"public": 1,
"adversary": "@GRAMMERSoft",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1219",
"name": "Remote Access Software",
"display_name": "T1219 - Remote Access Software"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1490",
"name": "Inhibit System Recovery",
"display_name": "T1490 - Inhibit System Recovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 513,
"FileHash-MD5": 613,
"FileHash-SHA1": 373,
"FileHash-SHA256": 569,
"URL": 466,
"hostname": 580,
"domain": 60,
"email": 3,
"CVE": 2,
"JA3": 1
},
"indicator_count": 3180,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "14 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e0941d8d439e7a477874c8",
"name": "Overlay + Exp Certs",
"description": "",
"modified": "2026-04-17T06:42:04.558000",
"created": "2026-04-16T07:47:41.334000",
"tags": [
"gb st",
"salford o",
"sectigo limited",
"sectigo rsa",
"time stamping",
"yara detections",
"legalcopyright",
"iobit",
"cn st",
"sheng l"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 562,
"FileHash-SHA1": 136,
"FileHash-SHA256": 2302,
"URL": 129,
"IPv4": 111,
"domain": 24,
"hostname": 120,
"email": 2,
"JA3": 3
},
"indicator_count": 3389,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b5d3a6f42c76f35980da09",
"name": "CAPE Sandbox- TLP: Amber and Strict",
"description": "Following.",
"modified": "2026-04-13T21:01:18.278000",
"created": "2026-03-14T21:31:18.765000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 78,
"FileHash-SHA1": 95,
"FileHash-SHA256": 86,
"domain": 40,
"hostname": 119,
"URL": 141
},
"indicator_count": 559,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b49a4f8a43283f82d150d2",
"name": "CAPE Sandbox - Sysdiag",
"description": "While this may be a prior discovery (uncertain background of it)- it has been my single largest fear. msudosos research suggests: Sysdiag ability to read / write its own. is effectively \"gaslighting\" the operating system. The analyzed file (Hash: fd373...8fd) demonstrates high-level anti-forensic capabilities. Its most dangerous feature is the active interception and rewriting of System Diagnostic (SysDiag) logs to mask its presence.\nTechnical Findings:\nLive Log Tampering: The malware monitors system event streams in real-time. It identifies entries related to its own execution (process starts, registry changes) and deletes or modifies them before they are committed to disk.\nSandbox Subversion: By \"writing its own\" diagnostic data, it feeds the CAPE sandbox false information, making malicious actions appear as standard Windows telemetry.\nPrivilege Escalation: To rewrite these logs, the malware is successfully gaining SYSTEM-level permissions, likely via exploit or token stealing.",
"modified": "2026-04-13T00:21:24.884000",
"created": "2026-03-13T23:14:23.778000",
"tags": [
"pe32",
"intel",
"ms windows",
"win16 ne",
"icons library",
"os2 executable",
"pe32 installer",
"install system",
"compiler",
"linker"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 19,
"FileHash-SHA1": 22,
"FileHash-SHA256": 38,
"hostname": 52,
"URL": 39,
"domain": 10
},
"indicator_count": 180,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b4a2620d4d557263906d13",
"name": "VirusTotal report\n for sysdiag-all-x64-6.0.8.5-2026.01.11.1.exe",
"description": "See my summary of last report. Likely remeasures sandboxed environments making scores lower. (speculation)",
"modified": "2026-04-12T23:35:46.239000",
"created": "2026-03-13T23:48:50.318000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 32,
"FileHash-MD5": 24,
"FileHash-SHA1": 24,
"FileHash-SHA256": 138,
"domain": 11,
"hostname": 27,
"email": 2
},
"indicator_count": 258,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69b1fe81a036fb6a5d7fe16c",
"name": "VirusTotal report\n for executable.exe",
"description": "",
"modified": "2026-04-10T23:06:53.889000",
"created": "2026-03-11T23:45:05.153000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 1,
"URL": 14,
"hostname": 7,
"domain": 4
},
"indicator_count": 28,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d6e664f3469eb0ca747caf",
"name": "CAPE Sandbox",
"description": "A Malware Analysis Service (MZP) sample has been found on a Windows operating system, and the results are published on the BBC News website and BBC World News app, as well as online.> Zenbox does not pick this up as Cape and juju do, noting for QA analysis. Mitre Signatures\n52. Interesting: \n3Planesoft Screensaver Manager\nMore info\nhttps://www.3planesoft.com",
"modified": "2026-04-08T23:51:41.181000",
"created": "2026-04-08T23:36:04.116000",
"tags": [
"registry keys",
"nothing",
"localsm05880168",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"read files",
"apis nothing",
"windows sandbox",
"calls clear",
"pe file",
"sample",
"mitre attack",
"network info",
"contains",
"aslr",
"program",
"t1055 process",
"overview",
"processes extra",
"code",
"delphi",
"next",
"resolutions",
"ip traffic",
"registry value",
"encoding",
"registry key",
"evasion b0002",
"evasion b0003",
"f0001",
"analysis ob0002",
"packing f0001",
"screen capture",
"e1113 winapi",
"one drive"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691312&Signature=vEpYxY%2F4CQmF6hT9MCtv1Rt%2Bej2RQWoV49iHYR0etU9QOMDDvNac0Ad54ONwSUM6Rkm1EHnxUImDAPsR0fVybpNRv8rtsyQ56YcSqkrni7bUUTWuUuvSEes6f2XiIpynJVCz2yjMlhbihI6eRkw%2FybsHFV%2B1EvWH5IxHIyxtkcgQOB44dpzDGE9mgZHwMB2fup%2BboFRgeKxLHkqzWmbvcFvBaNv5jRgcIcFceBxhuxN%2FzPmGnk",
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691344&Signature=A2cVxTc9%2BKZZCD2SmoAjI0aXbPY22pk7I1QJy7R2y%2BRsrLX92hzFv68Vi7comdtal%2Fuh3W7CMuZ8hDgp78Pw8zje7Q2YzJcR8JDI68PDoDzY8jcybL8TnZmww8R%2BGrhifWwAk4YtGpL0ed9eQq25Bll1Iblvwmlvf%2BeNmKXDLE4Z9tnexW3rEF9Cn%2F3%2FEot5fy94kXVZuuiiZo26%2FeB9gHka1Kfjdj%2FfJPnTKy",
"https://vtbehaviour.commondatastorage.googleapis.com/0000005c6c102a59fd629c8420ed314ad76b826951c5249b0ac43c93c679227b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775691373&Signature=tGkOgGIRwglmNlZyyJdH94zuGYX%2FS9d2N3Cuz779NTCxbmiabKdLUVC4suOPbJVvGO0v%2BgRtbJbM%2B6ZDa1%2FsA2%2BJXpHt3kThSLLFxLGbIXPApvtgejn%2FLf5yA7kly76P0rzFE3e1ZH1F3tZtuzqswLr15vKv0fMWHVQgeVUjjCCcyBLQUbAPNU%2Bm34r%2BidTop8LXgsvM%2BdG9a2Cr6gk2fwCVyHmO6WAdPM1yY7lmOx3ysTWADRpt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1124",
"name": "System Time Discovery",
"display_name": "T1124 - System Time Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 43,
"FileHash-MD5": 115,
"FileHash-SHA1": 89,
"FileHash-SHA256": 311,
"URL": 42,
"hostname": 55,
"domain": 3
},
"indicator_count": 658,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d1396bb42208f8aa25b8ae",
"name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable",
"description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.",
"modified": "2026-04-04T16:16:43.680000",
"created": "2026-04-04T16:16:43.680000",
"tags": [
"binary",
"yara rule",
"binary file",
"yara",
"pe section",
"av detections",
"ip address",
"url analysis",
"urls",
"singapore",
"singapore asn",
"as14061",
"edgeview drive",
"suite",
"broomfield",
"colorado",
"key usage",
"handle",
"v3 serial",
"number",
"cert validity",
"asia pacific",
"traefik default",
"cert",
"thumbprint",
"name",
"all filehash",
"learn",
"adversaries",
"calls",
"ck id",
"name tactics",
"suspicious",
"informative",
"reads",
"defense evasion",
"loads",
"model",
"call",
"getprocaddress",
"span",
"path",
"mitre att",
"ck matrix",
"access type",
"value",
"windir",
"open",
"error",
"click",
"contact",
"meta",
"april",
"hybrid",
"format",
"strings",
"united",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"status",
"fastest privacy",
"first dns",
"trojan",
"pegasus",
"title",
"dynamicloader",
"ms windows",
"intel",
"pe32 executable",
"win32",
"medium",
"pe32",
"high",
"mozilla",
"delphi",
"injectdll",
"write",
"malware",
"observer",
"stream",
"unknown",
"lredmond",
"stwa",
"omicrosoft",
"stwashington",
"server ca",
"https domain",
"accept",
"read c",
"ogoogle trust",
"worm",
"code",
"td td",
"td tr",
"a td",
"dynamic dns",
"name servers",
"arial",
"zeppelin",
"null",
"enough",
"hosts",
"fast",
"tls sni",
"cloudflare dns",
"google dns",
"showing",
"get icarus",
"show",
"ascii text",
"global",
"next",
"cc fd",
"d4 dc",
"a3 ad",
"a8 c7",
"bb c7",
"f0 f1",
"f4 ca",
"bc a1",
"win64",
"local",
"otx logo",
"hostname",
"passive dns",
"files",
"less",
"related tags",
"servers",
"certificate",
"domain",
"cloudflare",
"khtml",
"gecko",
"ids detections",
"yara detections",
"ip lookup",
"encrypt",
"elf executable",
"sysv",
"linux",
"elf64 operation",
"unix",
"exec amd6464",
"elf geomi",
"modify system",
"process l",
"t1543",
"systemd service",
"ta0004",
"techniques",
"process create",
"modify syst",
"t1036 indicator",
"remc t1070",
"file",
"directoi t1222",
"t1027 masquerac",
"t1070",
"data upload",
"extraction",
"failed",
"ta0005",
"t1027",
"memory pattern",
"domains",
"dns resolutions",
"full reports",
"v ip",
"traffic tcp",
"g sh",
"c tmpsample",
"binrm f",
"usrbinid id",
"usrbinsystemctl",
"proc1environ",
"proccpuinfo",
"include",
"review exclude",
"sample",
"https",
"performs dns",
"tls version",
"mitre attack",
"network info",
"file type",
"persistence",
"include review",
"exclude sugges",
"find s",
"unique ru",
"review occ",
"exclude data",
"alvoes",
"include data",
"suggest",
"find c",
"typ filet",
"filet ce",
"layer protocol",
"http performs",
"reads cpu",
"proc indicative",
"filet filet",
"pulse",
"file hach",
"h1256",
"filer data",
"typ data",
"filer filehuon",
"filet filer",
"exchange all",
"typ no",
"no entri",
"exclude",
"suggested ocs",
"manualy",
"hua muicalul",
"find",
"indicatore",
"typ innicatad",
"new threat",
"dive into",
"zergeca botnet",
"reference",
"report publish",
"zergeca",
"all se",
"matches edolavd",
"matches data",
"matches matches",
"type",
"extr",
"tico data",
"get hello",
"mirai variant",
"useragent",
"hello",
"outbound",
"world",
"search",
"hackingtrio ua",
"inbound",
"mirai",
"info",
"shell",
"pulse pulses",
"files ip",
"address domain",
"ip related",
"labs pulses",
"pulses",
"post",
"http traffic",
"tocstut",
"reference id",
"xor key",
"canada",
"america",
"germany",
"doh",
"ddos",
"botnet",
"en",
"xor",
"twitter",
"stop",
"loader",
"downloader",
"zerg",
"mirai",
"golang",
"c2 resolution",
"germany",
"c2 ip",
"virustotal",
"smux",
"ck ids",
"t1082",
"applescript",
"t1190",
"application",
"private server",
"t1609",
"command",
"unix shell",
"software supply",
"service",
"chain",
"t1499",
"entries",
"otx telemetry",
"next associated",
"backdoor",
"detections",
"sha256 add",
"alerts",
"heur",
"all domain",
"creation date",
"record value",
"aaaa",
"date",
"unknown ns",
"ponmocup post",
"infection dns",
"mtb nov",
"ipv4 add",
"external ip",
"copy"
],
"references": [
"www.joewa.com",
"Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name",
"Yara Detections: MacSync_AppleScript_Stealer , UPX ,",
"Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/",
"Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena/",
"Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more",
"Loads modules at runtime Looks up procedures from modules",
"(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007",
"https://cloudflare-dns.com/dns | cloudflare-dns.com",
"https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522",
"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com",
"https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f",
"6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)",
"\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca",
"\u2018Can't access file\u2019[Found in Zergeca Botnet]",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections",
"IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56",
"Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org",
"Crowdsourced SIGMA Below:",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS Below:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Unique rule identifier: This rule belongs to a private collection.",
"geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi",
"https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO",
"Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/",
"crypto-pool.fr",
"i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645",
"Muslims have built, supported, and assisted. or Muslims: Support and Solidarity",
"LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado",
"IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST",
"IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)",
"IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)",
"IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)",
"IDS: Observed Suspicious UA (Hello, World)",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,",
"Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: cape_detected_threat",
"IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184",
"IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248",
"Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]",
"https://dns.google/resolve?name=SELECT",
"31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]",
"multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]",
"84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]",
"Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets",
"Since September 2023, according to an analysis by cyber security firm XLab CTIA.",
"Address shows an place of origin: Broomfield , Co",
"Believed to be originating from Germany and Russia",
"BGP Hurricane Electric seen",
"Potentially Pegasus related . Found to be affecting an IOS device",
"Indicators seen may have affected a few OTX users. Is ongoing",
"Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple",
"This pulse is so huge it\u2019s a mess. Will break down."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Thailand",
"Germany",
"Canada"
],
"malware_families": [
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"target": null
},
{
"id": "Trojan.Sagnt/R011c0dfs24",
"display_name": "Trojan.Sagnt/R011c0dfs24",
"target": null
},
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "Unix.Trojan.Mirai",
"display_name": "Unix.Trojan.Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7669677-0",
"display_name": "Unix.Trojan.Mirai-7669677-0",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1590.005",
"name": "IP Addresses",
"display_name": "T1590.005 - IP Addresses"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1056.004",
"name": "Credential API Hooking",
"display_name": "T1056.004 - Credential API Hooking"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1608.002",
"name": "Upload Tool",
"display_name": "T1608.002 - Upload Tool"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1499",
"name": "Endpoint Denial of Service",
"display_name": "T1499 - Endpoint Denial of Service"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1609",
"name": "Container Administration Command",
"display_name": "T1609 - Container Administration Command"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1195.002",
"name": "Compromise Software Supply Chain",
"display_name": "T1195.002 - Compromise Software Supply Chain"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1583.003",
"name": "Virtual Private Server",
"display_name": "T1583.003 - Virtual Private Server"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 795,
"FileHash-SHA1": 648,
"FileHash-SHA256": 3708,
"IPv4": 294,
"URL": 2587,
"domain": 739,
"hostname": 1129,
"email": 14,
"CIDR": 15,
"IPv6": 27,
"SSLCertFingerprint": 18,
"CVE": 4
},
"indicator_count": 9978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "15 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://sectigo.com/CPS0",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://sectigo.com/CPS0",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776641144.0284598
}