{ "type": "URL", "indicator": "https://stuff.rop.io/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://stuff.rop.io/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2688589000, "indicator": "https://stuff.rop.io/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "695de6e443ac6f9615325882", "name": "UAlberta Computer Lab Issues - From U of A Labs", "description": "A Malware file has been found on the back of a UAlberta computer lab's back-up drive, which is being tested by researchers at the University of Alberta in Alberta. and the BBC\nThor query UAlberta Computer Lab Issues - From U of A Labs", "modified": "2026-02-06T04:06:27.529000", "created": "2026-01-07T04:53:56.209000", "tags": [ "drive", "problems1", "data", "no problems", "upload", "ccid", "vmware horizons", "lab issuesfrom", "a labssome", "programs", "look", "june", "dllinject", "alphabet", "accept", "confuserex", "local", "restrict", "malware", "friday", "open", "delphi", "first", "stream", "rooter", "mon mar", "scanid", "wed may", "info", "whirlpool", "sun sep", "archivetype", "powershell", "UAlberta", "Alberta" ], "references": [ "https://www.virustotal.com/gui/collection/44c7e214790e1e5a819dd93dd1b6fb82cf95b5e383ff773b275d0874fab10163/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1225, "FileHash-SHA1": 953, "FileHash-SHA256": 872, "URL": 12, "domain": 61, "hostname": 9, "email": 1 }, "indicator_count": 3133, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695cc5b5337bc1ac1273946a", "name": "Macbook Air Macbook Air", "description": "Macbook Air Macbook Air", "modified": "2026-02-05T07:00:52.044000", "created": "2026-01-06T08:20:05.305000", "tags": [ "doctype", "public", "data", "drive", "problems1", "no problems", "upload", "tue aug", "scanid", "archivetype", "june", "look", "accept", "internal", "ransomware", "error", "trace", "sparkle", "fusion", "alphabet", "path", "archivesize", "archivemd5", "archivesha256", "open", "whirlpool", "syst", "stream", "mercury", "import", "info", "dangerous file", "modified", "tue jul", "mon sep", "mon mar", "sigtype1", "false", "warp", "powershell", "specs", "subscore1", "Mac", "Apple" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12573, "FileHash-SHA1": 14594, "FileHash-SHA256": 12489, "URL": 88, "domain": 98, "email": 15, "hostname": 119 }, "indicator_count": 39976, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695ca8b688eb56b3a0247098", "name": "System32 - Subfolders", "description": "E:\\Suss-SG2\\System32 - Subfolders.zip", "modified": "2026-02-05T06:03:21.110000", "created": "2026-01-06T06:16:22.880000", "tags": [ "tue apr", "scanid", "mon mar", "archivesize", "archivesha1", "archivesha256", "archivecreated", "f archiveowner", "sigtype1", "sigclass1", "look", "powershell", "first", "strings", "dllinject", "june", "span", "error", "fail", "rooter", "info", "alphabet", "false", "path", "service", "dword", "shell", "model", "assistant", "code", "syst", "checker", "rest", "core", "tencent", "null", "accept", "open", "pass", "internal", "meta", "root", "desktop", "window", "maximu", "stream", "android", "comp", "date", "whirlpool", "kevin", "sett", "locale", "cloud", "malware", "class" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 148, "CIDR": 2, "FileHash-MD5": 9860, "FileHash-SHA1": 10592, "FileHash-SHA256": 8443, "domain": 147, "email": 6, "hostname": 49 }, "indicator_count": 29247, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695c9687a283f9b9025214ca", "name": "VIRUSTOTAL_RESULT: found VIRUSTOTAL_VERDICTS:", "description": "Thor scan Query on infected system\n\n\" VIRUSTOTAL_RESULT: found VIRUSTOTAL_VERDICTS: \"", "modified": "2026-02-05T04:02:18.597000", "created": "2026-01-06T04:58:47.828000", "tags": [ "scanid", "sigtype1", "sigclass1", "rule matched1", "virustotalnames", "subscore1", "f owner", "data", "mon mar", "drive", "june", "look", "error", "powershell", "copy", "dllinject", "open", "info", "metasploit", "null", "service", "insta", "alphabet", "code", "write", "malware", "warp", "stack", "whirlpool", "internal", "void", "premium", "defender", "shell", "virustotal", "unknown", "form", "agent", "path", "accept", "upgrade", "webin" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 73, "CVE": 1, "FileHash-MD5": 616, "FileHash-SHA1": 772, "FileHash-SHA256": 560, "domain": 50, "email": 8, "hostname": 55 }, "indicator_count": 2135, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695d668ac3fccc66d2f6d1a8", "name": "A. Random to Upload\\System32.zip\\System32", "description": "E:\\Suss-SG2\\Backup Drive 2 - UAlberta OneDrive\\User - ualberta.ca\\No Problems\\1. Data for No Problems - Analysis and Upload in Progress\\A. Random to Upload\\System32.zip\\System32", "modified": "2026-02-05T00:04:00.617000", "created": "2026-01-06T19:46:17.990000", "tags": [ "random", "drive", "problems1", "data", "no problems", "upload", "progressa", "fri sep", "mon sep", "mon mar", "look", "first", "dllinject", "june", "powershell", "internal", "rooter", "alphabet", "code", "error", "info", "whirlpool", "null", "false", "write", "getad", "malware", "strings", "format", "plugx", "open", "spyeye", "config", "stream", "click", "shade", "spectre", "Microsoft", "Windows", "System32" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 5086, "FileHash-SHA1": 3168, "FileHash-SHA256": 2935, "domain": 55, "email": 3, "hostname": 18 }, "indicator_count": 11282, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694a494827c6d499cb129813", "name": "E:\\Suss-SG2\\5.6.22.zip", "description": "E:\\Suss-SG2\\5.6.22.zip", "modified": "2026-02-01T00:04:14.146000", "created": "2025-12-23T07:48:24.188000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/92a0f83827eb2206ad606d967f4efafc4b38f680ecc6c3f66c332c3427fcb1c9", "https://www.virustotal.com/gui/collection/92a0f83827eb2206ad606d967f4efafc4b38f680ecc6c3f66c332c3427fcb1c9/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 519, "FileHash-SHA1": 275, "FileHash-SHA256": 274, "URL": 27, "email": 2, "hostname": 8 }, "indicator_count": 1105, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694b1230c66ca26213c32f45", "name": "E:\\Suss-SG2\\where.zip", "description": "E:\\Suss-SG2\\where.zip", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-23T22:05:36.653000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 134, "FileHash-SHA256": 132, "URL": 9, "email": 2, "hostname": 3, "domain": 1 }, "indicator_count": 485, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694b12cb25e65ba6a29d3649", "name": "Avast", "description": "E:\\Suss-SG2\\Avast (1)\\", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-23T22:08:11.384000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 537, "FileHash-SHA1": 339, "FileHash-SHA256": 297, "URL": 30, "domain": 23, "email": 5, "hostname": 22 }, "indicator_count": 1253, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695cdac9b35161f837390388", "name": "Macbook Air\\MacOS - Macbook Air", "description": "Macbook Air\\MacOS - Macbook Air", "modified": "2026-01-06T09:50:01.622000", "created": "2026-01-06T09:50:01.622000", "tags": [ "doctype", "public", "data", "drive", "no problems", "upload", "problems1", "macbook airthor", "agent", "scanid", "look", "june", "blink", "info", "date", "shift", "malware", "powershell", "null", "squirrel", "alphabet", "accept", "whirlpool", "error", "dllinject", "virustotal", "enterprise" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 59, "FileHash-SHA1": 81, "FileHash-SHA256": 55, "domain": 5, "email": 2, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954dd1dad1e2cf90daa6fab", "name": "Security Vendors\\Cisco", "description": "Security Vendors\\Cisco", "modified": "2025-12-31T08:21:49.400000", "created": "2025-12-31T08:21:49.400000", "tags": [ "drive", "data", "no problems", "upload", "problems1", "progressb", "scanid", "wed aug", "mon mar", "sigtype1", "look", "june", "accept", "alphabet", "dllinject", "first", "Cisco" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 103, "FileHash-SHA1": 59, "FileHash-SHA256": 53, "URL": 3, "domain": 3, "hostname": 3, "email": 2 }, "indicator_count": 226, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e298af236c03fdd49226dd", "name": "IOC's from my personal devices for the week starting 08/21/23 - Pure Linux", "description": "It's becoming quite the wrestling match trying to get these pulses's created especially trying to utilize OTX's native uploader for the actual pulse; but after taking another persistent OS instance as a casualty I'm finally getting a workflow down. \n\nThis is all Linux starting this week; with a metric f*ck ton and frankly overwhelming amount of Yara matches I could only get a few to play outside of local analysis. But those include an apprently rooted libgo that landed on an Arch ISO as well as a CAchyOS ISO; a Dockerd that was hiding in the source {~/docker/bundles/binary) directory after cloning from gtihub earlier today as well as an unsolicited dsniff executable. Whatever this is also decided to leech off of and make a home out of the Cuda lib (/opt/cuda/ --- and as soon as I can get it uploaded a malicious ISO, and kernel out of the docker-desktop (/opt/docker-desktop) directory. Never a dull moment.", "modified": "2024-02-14T21:44:03.410000", "created": "2023-08-20T22:50:23.225000", "tags": [ "dukexternaldecl", "dukfilemacro", "duklinemacro", "duktape", "dukapinoreturn", "dukcompileeval", "dukcompilesafe", "null", "vaargs", "ecmascript", "date", "error", "push", "local", "internal", "returns", "value", "boostnocwchar", "indeterminate", "boostusefacet", "brief returns", "boosthasfacet", "gregor", "boost software", "license", "banner", "ipaddr", "author", "usage", "version", "anhth", "atlassian2", "cdn2", "devadmin", "haproxy3", "false", "team", "abba", "abcd", "acid", "adonis", "aeon", "afrodita", "agent", "akira", "alabama", "aldebaran", "aleph", "alex", "alexa", "alfa", "alien", "alina", "alisa", "alma", "alpha", "amigo", "amos", "anarchy", "andromeda", "angela", "anime", "anis", "anna", "anubis", "apache", "apollo", "april", "arch", "archie", "argos", "argus", "aria", "aris", "armageddon", "artemis", "asahi", "ashley", "assassin", "astra", "atom", "atomic", "august", "auriga", "aurora", "austin", "autorun", "avalanche", "avalon", "avenger", "aviator", "avril", "azrael", "baba", "babe", "baby", "babylon", "bach", "baidu", "bandung", "bank", "baobab", "bara", "baran", "baron", "barry", "bart", "basket", "batman", "bazar", "beer", "belarus", "belka", "belle", "benchmark", "benjamin", "benny", "bill", "bingo", "blackbox", "blackcat", "blackhole", "blacksun", "blaze", "blizzard", "blondie", "blood", "bluesky", "bnet", "bobo", "bomb", "bomber", "boom", "borg", "bounce", "bouncer", "boxer", "bridge", "buddy", "bullet", "bumblebee", "bunny", "burn", "caca", "caesar", "calendar", "calgary", "camel", "candle", "canvas", "cardinal", "cargo", "carpediem", "carrier", "casino", "casper", "cassini", "celine", "cerberus", "cetus", "chacha", "chantal", "cheap", "chester", "chewbacca", "chin", "citadel", "clarity", "class", "click", "clock", "cluster", "cobalt", "cobra", "coco", "coconut", "code", "coke", "combo", "comet", "comment", "comp", "conan", "config", "connector", "contact", "cookie", "cool", "corona", "cracker", "crash", "crawl", "crazy", "crew", "crime", "crimson", "crypton", "crystal", "cuba", "cyber", "cyrus", "dada", "dani", "daniel", "dark", "darkman", "darkness", "darkside", "darkstar", "daum", "david", "davis", "dbase", "death", "deimos", "delphi", "delta", "demo", "democracy", "dennis", "depot", "derek", "designer", "desktop", "dexter", "dharma", "diablo", "dialer", "diego", "diesel", "digi", "dima", "dino", "direct", "divine", "django", "dock", "dodo", "dolphin", "domino", "donald", "doom", "dora", "dotnet", "dracula", "dragon", "drop", "drweb", "dude", "duke", "dummy", "dump", "dune", "dust", "duster", "easy", "echelon", "eclipse", "eddie", "eddy", "elaine", "eleanor", "elisa", "elite", "emilia", "emma", "empire", "encrypt", "energy", "epsilon", "equinox", "eris", "esmeralda", "esupport", "eternal", "eternity", "euclid", "evil", "excalibur", "exodus", "experiment", "explorer", "express", "face", "facebook", "factory", "faisal", "fastcash", "feedme", "fenrir", "feri", "fiesta", "final", "finger", "firebird", "firefly", "first", "flamingo", "flash", "flex", "floyd", "flux", "fortune", "foryou", "foxy", "freddy", "freedom", "freeweb", "frodo", "frog", "front", "frozen", "fruit", "funky", "fury", "gaga", "galaxy", "galileo", "gamma", "gate", "gauss", "general", "generator", "genome", "giga", "gigi", "ginger", "girls", "glacier", "globe", "gloria", "goblin", "gogo", "golf", "gollum", "gondor", "gotcha", "graphite", "groove", "guard", "habbo", "hair", "hale", "hamster", "happytime", "harmony", "harrier", "havoc", "hawk", "hehe", "hell", "hello", "helpme", "hermit", "hino", "hippo", "honeypot", "hook", "horror", "hoster", "hotmail", "hunter", "hydra", "ibank", "icarus", "ident", "igloo", "iloveyou", "immortal", "impact", "import", "incom", "incubator", "indra", "inex", "inferno", "infinity", "info", "infra", "insane", "inside", "inter", "iowa", "iron", "iservice", "istanbul", "ivan", "jackson", "jaka", "jason", "jedi", "jeff", "jigsaw", "jimmy", "jinx", "john", "johnny", "joker", "joshi", "jquery", "judy", "julia", "juliet", "julius", "june", "juno", "justin", "kaiser", "kala", "kali", "kami", "kamikaze", "kamil", "kappa", "karin", "karina", "karma", "kato", "katy", "keeper", "kevin", "kiev", "killer", "kilo", "kiwi", "koko", "krasnodar", "krypton", "kurgan", "lana", "landmark", "lapis", "larry", "lazarus", "lazy", "leda", "legacy", "leon", "levi", "leviathan", "light", "lilith", "lilo", "lime", "little", "liza", "lizard", "logger", "logic", "loke", "loki", "lola", "loli", "lolita", "lolol", "look", "loulou", "love", "lucia", "lucky", "lucy", "luna", "lust", "madmax", "mafia", "magazine", "magento", "maggie", "magic", "magnum", "mailto", "maker", "mamba", "mami", "mandrake", "mania", "manuel", "marina", "mario", "mark", "markus", "marlboro", "martin", "maru", "mask", "massmail", "matrix", "maverick", "maximus", "maya", "mayak", "maze", "media", "medusa", "mensa", "mercurial", "mercury", "merlin", "meta", "metal", "metallica", "meteor", "metro", "mexico", "michael", "mikey", "mine", "mini", "minotaur", "minsk", "mint", "mira", "miso", "mission", "model", "monster", "moran", "mordor", "mozart", "multi", "murphy", "mylove", "nazgul", "nebula", "neko", "netmail", "neuro", "neuron", "nevada", "nexus", "night", "nightmare", "nikita", "niko", "nina", "ninja", "nirvana", "nitro", "nomad", "nono", "noob", "northstar", "nova", "nuke", "oblivion", "octopus", "ogre", "olga", "olivia", "omni", "ontario", "open", "orinoco", "oscar", "otto", "outside", "ozzy", "pacman", "pamela", "panama", "panda", "pandora", "panic", "paradox", "paraguay", "paranoia", "paris", "pass", "passmark", "path", "payment", "pedro", "pepe", "pepper", "perseus", "phantom", "philadelphia", "phoenix", "phpbb", "picasso", "pigeon", "pikachu", "pinger", "pingpong", "pinky", "pioneer", "pirate", "piter", "pixel", "pizza", "plasma", "pluto", "police", "pony", "porno", "posta", "prague", "predator", "prestige", "primus", "prism", "privat", "probe", "problem", "proj", "project", "prometheus", "prophet", "protect", "proteus", "proton", "puma", "punk", "python", "quake", "quartz", "quasar", "r2d2", "race", "ragnarok", "raid", "rainbow", "rambo", "rana", "ranger", "rape", "rapid", "raptor", "ravi", "razor", "reboot", "recon", "rector", "reda", "redir", "redirector", "redline", "refresh", "reklam", "relax", "rescue", "retro", "rhino", "rigel", "riot", "robin", "robinhood", "robo", "rock", "rocket", "rogue", "roma", "rosebud", "roxy", "ruby", "runner", "rush", "sadmin", "saigon", "sailor", "sakura", "salsa", "samurai", "sanctuary", "sandbox", "sandra", "sandy", "sapphire", "sara", "sarah", "satan", "saturn", "sauron", "savenow", "school", "seeker", "sentinel", "seraph", "serena", "serg", "service", "servidor", "sexy", "shadow", "shaggy", "shaman", "shane", "sharepoint", "shark", "shell", "sherlock", "silent", "simba", "simplex", "sirius", "skinner", "skipper", "skynet", "slash", "slice", "slim", "smash", "smog", "snake", "sniper", "snow", "snowflake", "sochi", "solid", "sonic", "sora", "soul", "spark", "sparkle", "sparta", "spartacus", "spawn", "spectre", "sphinx", "spice", "spin", "spirit", "splash", "spooky", "sport", "squirrel", "star", "stark", "stealth", "steel", "stop", "story", "striker", "stub", "styx", "sugar", "sunny", "sunset", "super", "supernova", "supervisor", "supra", "suri", "survey", "sweet", "sword", "sysadmin", "target", "tarot", "taurus", "teamo", "techno", "telecom", "template", "terminal", "terra", "terre", "testapi", "tetris", "thebe", "theta", "thor", "tibia", "tick", "ticker", "tiger", "tigger", "tiny", "titan", "titanic", "tokyo", "toolbar", "torun", "trace", "trailer", "trash", "trident", "trigger", "trinity", "tripoli", "triton", "troll", "tron", "troy", "tsunami", "tula", "twister", "twitter", "ultimate", "uranus", "uruguay", "valencia", "valentine", "valeria", "vampire", "vanguard", "venus", "victor", "vidar", "vienna", "viper", "voice", "voodoo", "voronezh", "vortex", "voyager", "vulcano", "waffle", "wagner", "walker", "wallpaper", "walrus", "wanderer", "warrior", "webadmin", "webdav", "websearch", "webview", "wedge", "westnet", "whiterose", "wide", "widget", "willow", "win4", "window", "winnie", "winnt", "wolf", "wraith", "write", "wuhan", "xanadu", "xena", "xenon", "xmail", "xpress", "yang", "youth", "yoyo", "yume", "zeppelin", "zero", "zeus", "zhang", "zimbra", "zion", "zombie", "zona", "zorro", "zulu", "NativeAPI" ], "references": [ "duktape.h", "tribool_io.hpp", "dnsspider", "libgo.so.22.0.0", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4/64e43114272b03328005b88b", "/opt/cuda", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0/64e3ff9747b24214820d5c1a", "https://hybrid-analysis.com/sample/32bc49b0d1d7aba6742b0e81dc0105c54bd5c9f32321f96b1594fbbe36692880", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef/64e3ffbd15668ff65803bf54", "dockerd", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0", "https://hybrid-analysis.com/sample/0d4a7cda209c9701bc4cd19aac861d2be8aa1ce6258922d64e711de3d9bad2ae/64e679f61825d88cf802a74d", "https://hybrid-analysis.com/sample/b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c/64e52411dbff7da2f4065fe7", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef", "https://hybrid-analysis.com/sample/1ba7314785f705d0a3db7a3a8ae1da4fe11a2f776287ce3aabc3f3931469447b/64e67888f8d1145b63007ad1", "https://hybrid-analysis.com/sample/27c46f4f186b2168b1d37057378b58667151088cea24c8944d539d251d0b7f6d/64e678fba4a2aff1640fc39a" ], "public": 1, "adversary": "TBD", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 152, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 676, "URL": 1068, "domain": 11442, "email": 36, "hostname": 1862, "FileHash-MD5": 2000, "FileHash-SHA256": 1082 }, "indicator_count": 18166, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee2668cad3bfce7a474d79", "name": "IOC's from my personal devices for the week starting 08/28/23 - leveraging Yara, overwhelmed", "description": "placeholder\n\nAt current I have well over 2000 detentions just on this one device - I'm working on getting everything presentable.", "modified": "2024-02-10T03:37:00.560000", "created": "2023-08-29T17:10:00.158000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "843 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a05f90fecc8ca5ef695c", "name": "IOC's from my personal devices for the week starting 08/21/23 - Pure Linux", "description": "", "modified": "2023-12-06T16:25:02.930000", "created": "2023-12-06T16:25:02.930000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2821, "hostname": 464, "email": 26, "URL": 978, "FileHash-MD5": 1139, "FileHash-SHA1": 541, "FileHash-SHA256": 839 }, "indicator_count": 6808, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f379639e77ae81f51fb1a6", "name": "IOC's from my personal devices for the week starting 08/28/23 (byMeekd1904) hmm?", "description": "", "modified": "2023-09-02T18:05:23.864000", "created": "2023-09-02T18:05:23.864000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": "64ee2668cad3bfce7a474d79", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "1003 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "tribool_io.hpp", "https://hybrid-analysis.com/sample/b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c/64e52411dbff7da2f4065fe7", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef/64e3ffbd15668ff65803bf54", "https://hybrid-analysis.com/sample/27c46f4f186b2168b1d37057378b58667151088cea24c8944d539d251d0b7f6d/64e678fba4a2aff1640fc39a", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4/64e43114272b03328005b88b", "/opt/cuda", "https://hybrid-analysis.com/sample/1ba7314785f705d0a3db7a3a8ae1da4fe11a2f776287ce3aabc3f3931469447b/64e67888f8d1145b63007ad1", "https://hybrid-analysis.com/sample/0d4a7cda209c9701bc4cd19aac861d2be8aa1ce6258922d64e711de3d9bad2ae/64e679f61825d88cf802a74d", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "dockerd", "libgo.so.22.0.0", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0", "dnsspider", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://hybrid-analysis.com/sample/32bc49b0d1d7aba6742b0e81dc0105c54bd5c9f32321f96b1594fbbe36692880", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4", "duktape.h", "https://www.virustotal.com/gui/collection/92a0f83827eb2206ad606d967f4efafc4b38f680ecc6c3f66c332c3427fcb1c9/iocs", "https://www.virustotal.com/gui/collection/44c7e214790e1e5a819dd93dd1b6fb82cf95b5e383ff773b275d0874fab10163/iocs", "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://www.virustotal.com/gui/collection/92a0f83827eb2206ad606d967f4efafc4b38f680ecc6c3f66c332c3427fcb1c9", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0/64e3ff9747b24214820d5c1a" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "N/A", "TBD" ], "malware_families": [ "Wimmie", "Virus:win95/cerebrus", "Irontiger", "Trojan:linux/rootkit", "Shylock", "Spyeye", "Surtr", "Poet rat", "Trojanspy:win32/warpp", "Lsadump", "Cobalt strike", "Trojandropper:win32/ponmocup" ], "industries": [ "Government", "Education", "Healthcare", "Technology", "Individuals", "Telecommunications" ], "unique_indicators": 158647 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/rop.io", "whois": "http://whois.domaintools.com/rop.io", "domain": "rop.io", "hostname": "stuff.rop.io" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "695de6e443ac6f9615325882", "name": "UAlberta Computer Lab Issues - From U of A Labs", "description": "A Malware file has been found on the back of a UAlberta computer lab's back-up drive, which is being tested by researchers at the University of Alberta in Alberta. and the BBC\nThor query UAlberta Computer Lab Issues - From U of A Labs", "modified": "2026-02-06T04:06:27.529000", "created": "2026-01-07T04:53:56.209000", "tags": [ "drive", "problems1", "data", "no problems", "upload", "ccid", "vmware horizons", "lab issuesfrom", "a labssome", "programs", "look", "june", "dllinject", "alphabet", "accept", "confuserex", "local", "restrict", "malware", "friday", "open", "delphi", "first", "stream", "rooter", "mon mar", "scanid", "wed may", "info", "whirlpool", "sun sep", "archivetype", "powershell", "UAlberta", "Alberta" ], "references": [ "https://www.virustotal.com/gui/collection/44c7e214790e1e5a819dd93dd1b6fb82cf95b5e383ff773b275d0874fab10163/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1225, "FileHash-SHA1": 953, "FileHash-SHA256": 872, "URL": 12, "domain": 61, "hostname": 9, "email": 1 }, "indicator_count": 3133, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695cc5b5337bc1ac1273946a", "name": "Macbook Air Macbook Air", "description": "Macbook Air Macbook Air", "modified": "2026-02-05T07:00:52.044000", "created": "2026-01-06T08:20:05.305000", "tags": [ "doctype", "public", "data", "drive", "problems1", "no problems", "upload", "tue aug", "scanid", "archivetype", "june", "look", "accept", "internal", "ransomware", "error", "trace", "sparkle", "fusion", "alphabet", "path", "archivesize", "archivemd5", "archivesha256", "open", "whirlpool", "syst", "stream", "mercury", "import", "info", "dangerous file", "modified", "tue jul", "mon sep", "mon mar", "sigtype1", "false", "warp", "powershell", "specs", "subscore1", "Mac", "Apple" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12573, "FileHash-SHA1": 14594, "FileHash-SHA256": 12489, "URL": 88, "domain": 98, "email": 15, "hostname": 119 }, "indicator_count": 39976, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695ca8b688eb56b3a0247098", "name": "System32 - Subfolders", "description": "E:\\Suss-SG2\\System32 - Subfolders.zip", "modified": "2026-02-05T06:03:21.110000", "created": "2026-01-06T06:16:22.880000", "tags": [ "tue apr", "scanid", "mon mar", "archivesize", "archivesha1", "archivesha256", "archivecreated", "f archiveowner", "sigtype1", "sigclass1", "look", "powershell", "first", "strings", "dllinject", "june", "span", "error", "fail", "rooter", "info", "alphabet", "false", "path", "service", "dword", "shell", "model", "assistant", "code", "syst", "checker", "rest", "core", "tencent", "null", "accept", "open", "pass", "internal", "meta", "root", "desktop", "window", "maximu", "stream", "android", "comp", "date", "whirlpool", "kevin", "sett", "locale", "cloud", "malware", "class" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 148, "CIDR": 2, "FileHash-MD5": 9860, "FileHash-SHA1": 10592, "FileHash-SHA256": 8443, "domain": 147, "email": 6, "hostname": 49 }, "indicator_count": 29247, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695c9687a283f9b9025214ca", "name": "VIRUSTOTAL_RESULT: found VIRUSTOTAL_VERDICTS:", "description": "Thor scan Query on infected system\n\n\" VIRUSTOTAL_RESULT: found VIRUSTOTAL_VERDICTS: \"", "modified": "2026-02-05T04:02:18.597000", "created": "2026-01-06T04:58:47.828000", "tags": [ "scanid", "sigtype1", "sigclass1", "rule matched1", "virustotalnames", "subscore1", "f owner", "data", "mon mar", "drive", "june", "look", "error", "powershell", "copy", "dllinject", "open", "info", "metasploit", "null", "service", "insta", "alphabet", "code", "write", "malware", "warp", "stack", "whirlpool", "internal", "void", "premium", "defender", "shell", "virustotal", "unknown", "form", "agent", "path", "accept", "upgrade", "webin" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 73, "CVE": 1, "FileHash-MD5": 616, "FileHash-SHA1": 772, "FileHash-SHA256": 560, "domain": 50, "email": 8, "hostname": 55 }, "indicator_count": 2135, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695d668ac3fccc66d2f6d1a8", "name": "A. Random to Upload\\System32.zip\\System32", "description": "E:\\Suss-SG2\\Backup Drive 2 - UAlberta OneDrive\\User - ualberta.ca\\No Problems\\1. Data for No Problems - Analysis and Upload in Progress\\A. Random to Upload\\System32.zip\\System32", "modified": "2026-02-05T00:04:00.617000", "created": "2026-01-06T19:46:17.990000", "tags": [ "random", "drive", "problems1", "data", "no problems", "upload", "progressa", "fri sep", "mon sep", "mon mar", "look", "first", "dllinject", "june", "powershell", "internal", "rooter", "alphabet", "code", "error", "info", "whirlpool", "null", "false", "write", "getad", "malware", "strings", "format", "plugx", "open", "spyeye", "config", "stream", "click", "shade", "spectre", "Microsoft", "Windows", "System32" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 5086, "FileHash-SHA1": 3168, "FileHash-SHA256": 2935, "domain": 55, "email": 3, "hostname": 18 }, "indicator_count": 11282, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694a494827c6d499cb129813", "name": "E:\\Suss-SG2\\5.6.22.zip", "description": "E:\\Suss-SG2\\5.6.22.zip", "modified": "2026-02-01T00:04:14.146000", "created": "2025-12-23T07:48:24.188000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/92a0f83827eb2206ad606d967f4efafc4b38f680ecc6c3f66c332c3427fcb1c9", "https://www.virustotal.com/gui/collection/92a0f83827eb2206ad606d967f4efafc4b38f680ecc6c3f66c332c3427fcb1c9/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 519, "FileHash-SHA1": 275, "FileHash-SHA256": 274, "URL": 27, "email": 2, "hostname": 8 }, "indicator_count": 1105, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694b1230c66ca26213c32f45", "name": "E:\\Suss-SG2\\where.zip", "description": "E:\\Suss-SG2\\where.zip", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-23T22:05:36.653000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 134, "FileHash-SHA256": 132, "URL": 9, "email": 2, "hostname": 3, "domain": 1 }, "indicator_count": 485, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694b12cb25e65ba6a29d3649", "name": "Avast", "description": "E:\\Suss-SG2\\Avast (1)\\", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-23T22:08:11.384000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 537, "FileHash-SHA1": 339, "FileHash-SHA256": 297, "URL": 30, "domain": 23, "email": 5, "hostname": 22 }, "indicator_count": 1253, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695cdac9b35161f837390388", "name": "Macbook Air\\MacOS - Macbook Air", "description": "Macbook Air\\MacOS - Macbook Air", "modified": "2026-01-06T09:50:01.622000", "created": "2026-01-06T09:50:01.622000", "tags": [ "doctype", "public", "data", "drive", "no problems", "upload", "problems1", "macbook airthor", "agent", "scanid", "look", "june", "blink", "info", "date", "shift", "malware", "powershell", "null", "squirrel", "alphabet", "accept", "whirlpool", "error", "dllinject", "virustotal", "enterprise" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 59, "FileHash-SHA1": 81, "FileHash-SHA256": 55, "domain": 5, "email": 2, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://stuff.rop.io/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://stuff.rop.io/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780397943.5660849 }