{ "type": "URL", "indicator": "https://sgnextbus.honcheng.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sgnextbus.honcheng.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2850786360, "indicator": "https://sgnextbus.honcheng.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 22, "pulses": [ { "id": "69a9cad6633206ba1204cf8f", "name": "clone school board ", "description": "", "modified": "2026-03-06T11:26:19.137000", "created": "2026-03-05T18:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9cad78745fdea3001aec9", "name": "clone school board ", "description": "", "modified": "2026-03-06T05:11:24.929000", "created": "2026-03-05T18:26:31.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ddc9048ba0719321307d03", "name": "Malicious Probe - WannaCry \u2022 WannaCrypt- Ransomware", "description": "Malicious remote cab / drive by via an alt google redirect , clicked image , suspicious, low amount of search results.\nRead coded image. Target/s phone -cnc and infected. #dead_connect #decrypted #hacked #nametactics", "modified": "2025-11-01T00:02:59.726000", "created": "2025-10-02T00:36:20.247000", "tags": [ "ip address", "key identifier", "x509v3 subject", "data", "v3 serial", "cus ogoogle", "trust", "cnwr3 validity", "subject public", "key info", "links", "dynamicloader", "high", "et exploit", "ms17010", "msf style", "probe ms17010", "generic flags", "dns lookup", "ransom", "write", "malware", "wannacrypt", "wannacry", "eternal blue", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "development att", "ssl certificate", "programfiles", "username", "windir", "userprofile", "mitre att", "ck matrix", "localappdata", "comspec", "model", "hybrid", "path", "click", "strings", "sabey type", "quasi type", "pegasus relationship", "fbi? files" ], "references": [ "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCrypt", "display_name": "WannaCrypt", "target": null }, { "id": "Eternal Blue", "display_name": "Eternal Blue", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4246, "domain": 757, "hostname": 1039, "email": 1, "FileHash-SHA256": 2738, "FileHash-SHA1": 152, "FileHash-MD5": 140, "CVE": 1, "SSLCertFingerprint": 3 }, "indicator_count": 9077, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ddc902283b04c489f7e1cd", "name": "Malicious Probe - WannaCry \u2022 WannaCrypt- Ransomware", "description": "Malicious remote cab / drive by via an alt google redirect , clicked image , suspicious, low amount of search results.\nRead coded image. Target/s phone -cnc and infected. #dead_connect #decrypted #hacked #nametactics", "modified": "2025-11-01T00:02:59.726000", "created": "2025-10-02T00:36:18.296000", "tags": [ "ip address", "key identifier", "x509v3 subject", "data", "v3 serial", "cus ogoogle", "trust", "cnwr3 validity", "subject public", "key info", "links", "dynamicloader", "high", "et exploit", "ms17010", "msf style", "probe ms17010", "generic flags", "dns lookup", "ransom", "write", "malware", "wannacrypt", "wannacry", "eternal blue", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "development att", "ssl certificate", "programfiles", "username", "windir", "userprofile", "mitre att", "ck matrix", "localappdata", "comspec", "model", "hybrid", "path", "click", "strings", "sabey type", "quasi type", "pegasus relationship", "fbi? files" ], "references": [ "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCrypt", "display_name": "WannaCrypt", "target": null }, { "id": "Eternal Blue", "display_name": "Eternal Blue", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4246, "domain": 757, "hostname": 1039, "email": 1, "FileHash-SHA256": 2738, "FileHash-SHA1": 152, "FileHash-MD5": 140, "CVE": 1, "SSLCertFingerprint": 3 }, "indicator_count": 9077, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68af4f44342f62fb6f196e5f", "name": "http://astor.com.pl", "description": "https://www.virustotal.com/gui/domain/astor.com.pl/relations", "modified": "2025-09-26T15:00:32.238000", "created": "2025-08-27T18:32:36.979000", "tags": [ "intel", "pe32", "ms windows", "crlf", "dokument xml", "ascii", "z terminatorami", "baza danych", "dane archiwum", "wersja", "autor" ], "references": [ "http://astor.com.pl", "https://astor.com.pl", "https://report.netcraft.com/submission/m9cbcPJIuBnL7TODllgScqUxx", "https://viz.greynoise.io/ip/analysis/1b6d7949-c7f6-4d92-9d1f-1df", "https://app.threat.zone/submission/172e9d09-27bf-4078-8dca-2465a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 159, "hostname": 437, "FileHash-MD5": 64, "FileHash-SHA1": 16, "FileHash-SHA256": 70, "URL": 1134 }, "indicator_count": 1880, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708d7edae64c19a8b55097", "name": "https://web.archive.org/web/*/https://cloudflare-ipfs.com/ipfs/", "description": "", "modified": "2023-12-06T15:04:30.727000", "created": "2023-12-06T15:04:30.727000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1194, "domain": 211, "hostname": 628, "URL": 945 }, "indicator_count": 2978, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708aacc81003c0b481e48f", "name": "inforextreme.com (3)", "description": "", "modified": "2023-12-06T14:52:26.313000", "created": "2023-12-06T14:52:26.313000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 2369, "hostname": 1853, "URL": 5088, "domain": 745, "FileHash-SHA1": 1, "FileHash-MD5": 2 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fd887db18f509b0e921", "name": "kim-ogg.com", "description": "", "modified": "2023-12-06T14:06:16.229000", "created": "2023-12-06T14:06:16.229000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 153, "URL": 1375, "hostname": 453, "domain": 157, "email": 2, "FileHash-SHA1": 10 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fb1a608aff2be5543a1", "name": "twibble.io", "description": "", "modified": "2023-12-06T14:05:37.418000", "created": "2023-12-06T14:05:37.418000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 208, "hostname": 238, "URL": 747, "domain": 161, "FileHash-MD5": 1, "FileHash-SHA1": 13, "email": 1 }, "indicator_count": 1369, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fa9e514ca975b6db5ca", "name": "NYTIMES.COM", "description": "", "modified": "2023-12-06T14:05:29.348000", "created": "2023-12-06T14:05:29.348000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 936, "hostname": 1927, "URL": 4576, "domain": 989, "email": 2, "FileHash-MD5": 2, "FileHash-SHA1": 4 }, "indicator_count": 8437, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e9819da1f2e8e26e78e", "name": "recallsfschoolboard.org", "description": "", "modified": "2023-12-06T14:00:56.019000", "created": "2023-12-06T14:00:56.019000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 24, "domain": 2214, "URL": 9040, "FileHash-MD5": 280, "FileHash-SHA256": 3044, "hostname": 2973, "FileHash-SHA1": 327, "SSLCertFingerprint": 6, "CIDR": 6, "email": 64 }, "indicator_count": 17978, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e5b7df6f60133e8fb50", "name": "Jeeng / Powerbox", "description": "", "modified": "2023-12-06T13:59:55.129000", "created": "2023-12-06T13:59:55.129000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 9072, "domain": 2500, "hostname": 3584, "URL": 13548, "FileHash-MD5": 197, "FileHash-SHA1": 162, "email": 19, "CIDR": 20, "SSLCertFingerprint": 2, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "639e2fed7c2b1110ee6897a5", "name": "A few corkers on here BEC BEC BEC", "description": "", "modified": "2023-01-16T20:01:36.977000", "created": "2022-12-17T21:09:01.151000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1739, "hostname": 936, "domain": 366, "FileHash-SHA256": 730, "CVE": 1, "FileHash-MD5": 58, "FileHash-SHA1": 56 }, "indicator_count": 3886, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "620c3b1f8af7ea0dcf2c1218", "name": "Jeeng / Powerbox", "description": "", "modified": "2022-06-12T22:01:23.105000", "created": "2022-02-15T23:45:35.234000", "tags": [ "Jeeng", "tim pool", "timcast" ], "references": [ "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9072, "domain": 2500, "URL": 13548, "hostname": 3584, "FileHash-MD5": 197, "FileHash-SHA1": 162, "CVE": 3, "CIDR": 20, "SSLCertFingerprint": 2, "email": 19, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 97, "modified_text": "1406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62787c48325ab8f3160860cb", "name": "https://web.archive.org/web/*/https://cloudflare-ipfs.com/ipfs/", "description": "", "modified": "2022-06-08T00:03:25.734000", "created": "2022-05-09T02:28:24.504000", "tags": [ "date", "found", "network traffic", "wayback machine", "search", "sign", "donate", "friday", "upload", "upload user", "texts", "books video", "video audio", "corefoundation", "foundation", "qos user", "interactive", "qos default", "cfnetwork", "initiated", "identifier", "adam id", "is first", "twitter" ], "references": [ "https://web.archive.org/web/*/https://cloudflare-ipfs.com/ipfs/bafkreibf4rnl3oeoaavx66es2e4dth4hofqxjdmy5o3zxkvaxktak5bngq?g=https://%7Bcid%7D.ipfs.nftstorage.link/&c=bafkreiczfkzcz4pqoghjdk6prm7vtv4ccbsxzrtav5pdwpcijaniajxjqi&c=bafkreift2cqgbltqci7f2wt5tpclmffqrelymsrlg4arc4jf5ti7baj3mm&c=bafkreifdjwbl7pi4js6qw2nvwqzap2esb6k4rksokwu2vsad5ywjdjb4ja&c=bafkreifo7jrbdw25kbdli27bavvm5yqdloykagrusikkfcjwpv62yygite&c=bafkreif44lgcpn6tbghqc7d33wgavdoug6xj5246adskkes3fpnplabynu&c=bafkreieon4agc72kxd4dlcmgzigthhgkmf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 945, "FileHash-SHA256": 1194, "domain": 211, "hostname": 628 }, "indicator_count": 2978, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1411 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "624b1b24fcf576f6d340a00c", "name": "inforextreme.com (3)", "description": "", "modified": "2022-05-04T00:05:07.263000", "created": "2022-04-04T16:21:56.802000", "tags": [ "whois record", "ssl certificate", "whois", "new collection", "vt graph", "lucifer", "doublepulsar", "synaptics", "copy", "echelon", "njrat", "malware", "sorefang", "sunburst" ], "references": [ "https://www.virustotal.com/graph/gf379170e2b17454ba4088d6d6e0f3379fd716d4ff5e94b38b12ee3af4ce860d8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Australia", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5088, "hostname": 1853, "domain": 745, "FileHash-SHA256": 2369, "CVE": 4, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 416, "modified_text": "1446 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622a03d5ecc6fa1f4833e6c8", "name": "MesaCounty.us", "description": "", "modified": "2022-04-09T00:00:32.009000", "created": "2022-03-10T13:57:41.749000", "tags": [ "code", "mesa county", "grand junction", "key identifier", "microsoft", "account a", "algorithm", "neustar reserve", "x509v3 subject", "win32 exe", "date", "info", "server", "reserve account", "postal code", "a creation", "umbrella" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1828, "hostname": 568, "domain": 287, "FileHash-SHA256": 288, "FileHash-SHA1": 3, "email": 2, "FileHash-MD5": 1 }, "indicator_count": 2977, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621fddd63f413e5f105c2867", "name": "kim-ogg.com", "description": "", "modified": "2022-04-01T00:01:54.852000", "created": "2022-03-02T21:12:54.798000", "tags": [ "dns replication", "date", "whois lookups", "registrant", "historical ssl", "server", "aaaa", "cname", "full name", "country", "group", "postal code", "registrar abuse", "registrar url", "info", "code" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 453, "URL": 1375, "domain": 157, "FileHash-SHA256": 153, "email": 2, "FileHash-SHA1": 10 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621e43be2d2c2f173ed3c770", "name": "twibble.io", "description": "", "modified": "2022-03-31T00:02:44.795000", "created": "2022-03-01T16:03:10.583000", "tags": [ "ssl certificate", "whois", "whois record", "server", "date", "namecheap inc", "namecheap", "code", "domain name", "registrar abuse", "registrar url", "registrar", "full name" ], "references": [ "https://www.virustotal.com/graph/gd4bb3a73b38d480c9b23076ecd95e913af9731430f824384a0336b1c5fdc2adc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 238, "URL": 747, "domain": 161, "FileHash-SHA256": 208, "FileHash-MD5": 1, "FileHash-SHA1": 13, "email": 1 }, "indicator_count": 1369, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1480 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621e371e2a74a1182e30386b", "name": "NYTIMES.COM", "description": "", "modified": "2022-03-31T00:02:44.795000", "created": "2022-03-01T15:09:18.236000", "tags": [ "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "issuer", "cncomodo rsa", "secure server", "ca cgb", "ca limited", "subject public", "key info", "key algorithm", "x509v3 key", "first", "server", "markmonitor", "date", "registrar abuse", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "code", "moves", "microsoft", "qianxin reddrip", "subdomains", "sophos news", "comodo valkyrie", "verdict mobile", "news popularity", "ranks rank", "value ingestion", "umbrella" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4576, "FileHash-SHA256": 936, "hostname": 1927, "domain": 989, "CVE": 1, "email": 2, "FileHash-MD5": 2, "FileHash-SHA1": 4 }, "indicator_count": 8437, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1480 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6211397913dcdae410959042", "name": "recallsfschoolboard.org", "description": "garry tan has no hand", "modified": "2022-03-26T19:02:17.827000", "created": "2022-02-19T18:39:53.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2973, "URL": 9040, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17978, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://astor.com.pl", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "https://web.archive.org/web/*/https://cloudflare-ipfs.com/ipfs/bafkreibf4rnl3oeoaavx66es2e4dth4hofqxjdmy5o3zxkvaxktak5bngq?g=https://%7Bcid%7D.ipfs.nftstorage.link/&c=bafkreiczfkzcz4pqoghjdk6prm7vtv4ccbsxzrtav5pdwpcijaniajxjqi&c=bafkreift2cqgbltqci7f2wt5tpclmffqrelymsrlg4arc4jf5ti7baj3mm&c=bafkreifdjwbl7pi4js6qw2nvwqzap2esb6k4rksokwu2vsad5ywjdjb4ja&c=bafkreifo7jrbdw25kbdli27bavvm5yqdloykagrusikkfcjwpv62yygite&c=bafkreif44lgcpn6tbghqc7d33wgavdoug6xj5246adskkes3fpnplabynu&c=bafkreieon4agc72kxd4dlcmgzigthhgkmf", "https://report.netcraft.com/submission/m9cbcPJIuBnL7TODllgScqUxx", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "https://app.threat.zone/submission/172e9d09-27bf-4078-8dca-2465a", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "https://www.virustotal.com/graph/gf379170e2b17454ba4088d6d6e0f3379fd716d4ff5e94b38b12ee3af4ce860d8", "https://astor.com.pl", "xxx.developer.android.com", "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "track.adminresourceupdate.com \u2022 postracking100.online", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674", "https://viz.greynoise.io/ip/analysis/1b6d7949-c7f6-4d92-9d1f-1df", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "https://www.virustotal.com/graph/gd4bb3a73b38d480c9b23076ecd95e913af9731430f824384a0336b1c5fdc2adc" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Wannacrypt", "Eternal blue", "Et", "!execryptor_2.x.x", "Wannacry", "Ransomware", "Taiwan", "Win32:vbmod\\ [trj]", "#lowfi:trojan:js/auto59", "Sabey", "Win.malware.agent-6386296-0", "Win.trojan.5229994-1" ], "industries": [ "Telecommunications", "Civil society", "Media", "Government" ], "unique_indicators": 94322 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/honcheng.com", "whois": "http://whois.domaintools.com/honcheng.com", "domain": "honcheng.com", "hostname": "sgnextbus.honcheng.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 22, "pulses": [ { "id": "69a9cad6633206ba1204cf8f", "name": "clone school board ", "description": "", "modified": "2026-03-06T11:26:19.137000", "created": "2026-03-05T18:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9cad78745fdea3001aec9", "name": "clone school board ", "description": "", "modified": "2026-03-06T05:11:24.929000", "created": "2026-03-05T18:26:31.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ddc9048ba0719321307d03", "name": "Malicious Probe - WannaCry \u2022 WannaCrypt- Ransomware", "description": "Malicious remote cab / drive by via an alt google redirect , clicked image , suspicious, low amount of search results.\nRead coded image. Target/s phone -cnc and infected. #dead_connect #decrypted #hacked #nametactics", "modified": "2025-11-01T00:02:59.726000", "created": "2025-10-02T00:36:20.247000", "tags": [ "ip address", "key identifier", "x509v3 subject", "data", "v3 serial", "cus ogoogle", "trust", "cnwr3 validity", "subject public", "key info", "links", "dynamicloader", "high", "et exploit", "ms17010", "msf style", "probe ms17010", "generic flags", "dns lookup", "ransom", "write", "malware", "wannacrypt", "wannacry", "eternal blue", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "development att", "ssl certificate", "programfiles", "username", "windir", "userprofile", "mitre att", "ck matrix", "localappdata", "comspec", "model", "hybrid", "path", "click", "strings", "sabey type", "quasi type", "pegasus relationship", "fbi? files" ], "references": [ "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCrypt", "display_name": "WannaCrypt", "target": null }, { "id": "Eternal Blue", "display_name": "Eternal Blue", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4246, "domain": 757, "hostname": 1039, "email": 1, "FileHash-SHA256": 2738, "FileHash-SHA1": 152, "FileHash-MD5": 140, "CVE": 1, "SSLCertFingerprint": 3 }, "indicator_count": 9077, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ddc902283b04c489f7e1cd", "name": "Malicious Probe - WannaCry \u2022 WannaCrypt- Ransomware", "description": "Malicious remote cab / drive by via an alt google redirect , clicked image , suspicious, low amount of search results.\nRead coded image. Target/s phone -cnc and infected. #dead_connect #decrypted #hacked #nametactics", "modified": "2025-11-01T00:02:59.726000", "created": "2025-10-02T00:36:18.296000", "tags": [ "ip address", "key identifier", "x509v3 subject", "data", "v3 serial", "cus ogoogle", "trust", "cnwr3 validity", "subject public", "key info", "links", "dynamicloader", "high", "et exploit", "ms17010", "msf style", "probe ms17010", "generic flags", "dns lookup", "ransom", "write", "malware", "wannacrypt", "wannacry", "eternal blue", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "development att", "ssl certificate", "programfiles", "username", "windir", "userprofile", "mitre att", "ck matrix", "localappdata", "comspec", "model", "hybrid", "path", "click", "strings", "sabey type", "quasi type", "pegasus relationship", "fbi? files" ], "references": [ "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCrypt", "display_name": "WannaCrypt", "target": null }, { "id": "Eternal Blue", "display_name": "Eternal Blue", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4246, "domain": 757, "hostname": 1039, "email": 1, "FileHash-SHA256": 2738, "FileHash-SHA1": 152, "FileHash-MD5": 140, "CVE": 1, "SSLCertFingerprint": 3 }, "indicator_count": 9077, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68af4f44342f62fb6f196e5f", "name": "http://astor.com.pl", "description": "https://www.virustotal.com/gui/domain/astor.com.pl/relations", "modified": "2025-09-26T15:00:32.238000", "created": "2025-08-27T18:32:36.979000", "tags": [ "intel", "pe32", "ms windows", "crlf", "dokument xml", "ascii", "z terminatorami", "baza danych", "dane archiwum", "wersja", "autor" ], "references": [ "http://astor.com.pl", "https://astor.com.pl", "https://report.netcraft.com/submission/m9cbcPJIuBnL7TODllgScqUxx", "https://viz.greynoise.io/ip/analysis/1b6d7949-c7f6-4d92-9d1f-1df", "https://app.threat.zone/submission/172e9d09-27bf-4078-8dca-2465a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 159, "hostname": 437, "FileHash-MD5": 64, "FileHash-SHA1": 16, "FileHash-SHA256": 70, "URL": 1134 }, "indicator_count": 1880, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708d7edae64c19a8b55097", "name": "https://web.archive.org/web/*/https://cloudflare-ipfs.com/ipfs/", "description": "", "modified": "2023-12-06T15:04:30.727000", "created": "2023-12-06T15:04:30.727000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1194, "domain": 211, "hostname": 628, "URL": 945 }, "indicator_count": 2978, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708aacc81003c0b481e48f", "name": "inforextreme.com (3)", "description": "", "modified": "2023-12-06T14:52:26.313000", "created": "2023-12-06T14:52:26.313000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-SHA256": 2369, "hostname": 1853, "URL": 5088, "domain": 745, "FileHash-SHA1": 1, "FileHash-MD5": 2 }, "indicator_count": 10062, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fd887db18f509b0e921", "name": "kim-ogg.com", "description": "", "modified": "2023-12-06T14:06:16.229000", "created": "2023-12-06T14:06:16.229000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 153, "URL": 1375, "hostname": 453, "domain": 157, "email": 2, "FileHash-SHA1": 10 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fb1a608aff2be5543a1", "name": "twibble.io", "description": "", "modified": "2023-12-06T14:05:37.418000", "created": "2023-12-06T14:05:37.418000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 208, "hostname": 238, "URL": 747, "domain": 161, "FileHash-MD5": 1, "FileHash-SHA1": 13, "email": 1 }, "indicator_count": 1369, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sgnextbus.honcheng.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sgnextbus.honcheng.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776622627.3855627 }