{
"type": "URL",
"indicator": "https://u.b.is",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://u.b.is",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3162388339,
"indicator": "https://u.b.is",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 9,
"pulses": [
{
"id": "6692440efac39f5213329f13",
"name": "Mustang Panda: Oxypumper | Ransom Suspicious verifier SpyTox",
"description": "Mustang Panda is an alleged;China-based' non-governmental cyber espionage threat actor that was first observed in 2017. Targeting non-governmental civilians. Likely target is in many bot networks. Potential HoneyPot, this tool makes itself visible to target when researching the validity of an email or phone number. Notable for Gand Crane ransomware text embedded in SpyTox page image. Injection process observed. Affects most types of devices including iOS and Android. Critical issues found. IP's registrar's, domains 'not' contacted.\n\nHackers, harassment, cybercrime, cyber espionage.",
"modified": "2024-08-12T08:04:00.041000",
"created": "2024-07-13T09:08:30.431000",
"tags": [
"historical ssl",
"referrer",
"june",
"october",
"july",
"hacker",
"pe resource",
"mustang panda",
"plugx",
"cryptbot",
"threat roundup",
"december",
"process32nextw",
"regsetvalueexa",
"x00x00",
"regdword",
"memcommit",
"high",
"regbinary",
"okrnserver",
"regsetvalueexw",
"download",
"copy",
"as15169 google",
"united",
"aaaa",
"unknown",
"gmt path",
"passive dns",
"search",
"cname",
"showing",
"cookie",
"ascii text",
"pattern match",
"error",
"null",
"typeerror",
"sha1",
"mitre att",
"et tor",
"known tor",
"date",
"infinity",
"onload",
"trident",
"android",
"void",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"generator",
"third-party-cookies",
"text/html",
"trackers",
"external-resources",
"iframes",
"entries",
"status",
"name servers",
"urls",
"next",
"nxdomain",
"susp",
"a nxdomain",
"domain",
"win32",
"as62597",
"france unknown",
"for privacy",
"moved",
"a domains",
"meta",
"gmt cache",
"trojan",
"creation date",
"record value",
"script urls",
"as55293 a2",
"as44273 host",
"canada unknown",
"scan endpoints",
"all scoreblue",
"pulse pulses",
"files",
"ip address",
"location canada",
"443 ma2592000",
"code",
"trojanspy",
"type",
"ipv4",
"twitter",
"trojandropper",
"find",
"form",
"less see",
"formbook cnc",
"checkin",
"a li",
"li ul",
"cycbot",
"emails",
"as20940",
"as54113",
"asnone denmark",
"worm",
"asnone",
"as4230 claro",
"refloadapihash",
"salicode",
"div div",
"wi fi",
"orion wi",
"orion",
"a div",
"div section",
"orion logo",
"target",
"fast",
"contact",
"open",
"virtool",
"content type",
"found",
"http response",
"final url",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"ubuntu",
"accept",
"keepalive",
"site",
"find people",
"numbers",
"sptox",
"utc google",
"html info",
"title spytox",
"emails meta",
"tags viewport",
"spytox og",
"type win32",
"exe size",
"mb first",
"seen",
"file name",
"avg win32",
"fortinet",
"double click",
"solutions",
"domains",
"sneaky server",
"replacement",
"unauthorized",
"malware http",
"core",
"sim unlock",
"emotet",
"ta569",
"critical",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 protector",
"confuser",
"confuserex",
"checker",
"samplename",
"bonusbitcoin",
"xslayer",
"samplepath",
"names",
"details",
"header intel",
"name md5",
"language",
"contained",
"rticon neutral",
"ico rtgroupicon",
"neutral",
"assembly common",
"clr version",
"assembly name",
"metadata header",
"entry point",
"rva entry",
"strong name",
"streams size",
"entropy chi2",
"ip detections",
"country",
"executable",
"info header",
"allmul vbaget4",
"adjfprem ord",
"data rtversion",
"generic",
"file type",
"win32 exe",
"kb file",
"graph",
"user",
"windir",
"downloads",
"written c",
"files deleted",
"dropped c",
"process",
"logistics",
"cyber defense",
"brazzers",
"tsara brashears",
"gpt analyzer",
"apple private",
"data collection",
"twitter andor",
"snatch",
"ransomware",
"default",
"rticon english",
"type name",
"data",
"getfilesize",
"getdc copyimage",
"rticon russian",
"pe32 executable",
"borland delphi",
"delphi generic",
"dos borland",
"hkcuclsid",
"registry keys",
"hkcrclsid",
"file system",
"settings c",
"files c",
"shared c",
"sharedink c",
"hostname",
"as29791",
"as8426 claranet",
"malware",
"network",
"apple ios",
"apple",
"tmobile metro",
"apeaksoft ios",
"spybanker",
"remcos",
"adwind",
"njrat",
"guloader",
"banload",
"asyncrat",
"arkeistealer",
"danabot",
"nordvpnsetup",
"kb graph",
"summary",
"sharedinkarsa c",
"sharedinkbgbg c",
"sharedinkcscz c",
"sharedinkdadk c",
"gmt etag",
"x amz",
"body",
"body html",
"bq jul",
"et trojan",
"v4inhxvlhx0",
"medium",
"memreserve",
"checks amount",
"t1082",
"module load",
"e weowe64e",
"edelepexe",
"e rev",
"weinedoewse net",
"ransom",
"show",
"filehash",
"related",
"reverse dns",
"haut",
"servers",
"pulse submit",
"as3215 orange",
"france",
"backdoor",
"paris",
"honeypot",
"python",
"callback phishing",
"teams",
"porn related",
"harassment"
],
"references": [
"https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?",
"Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread",
"Antivirus Detections: Win.Malware.Oxypumper-6900445-0",
"IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile",
"IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)",
"IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)",
"Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7",
"Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8",
"Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1",
"Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ",
"google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/",
"https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622",
"Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")",
"scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99",
"Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9",
"Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a",
"Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx",
"Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp",
"iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com",
"iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com",
"iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com",
"iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com",
"iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E",
"Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/",
"DotNET_Crypto_Obfuscator",
"Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,",
"Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,",
"Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA",
"IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,",
"IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...",
"https://otx.alienvault.com/indicator/ip/216.40.34.41",
"Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97",
"ns2.tsaratsovo.net",
"FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955",
"FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79",
"FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848",
"DotNET_Crypto_Obfuscator",
"Antivirus Detections: Win32:MalwareX-gen\\ [Trj]",
"IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator",
"Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx",
"Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger",
"https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29",
"Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE",
"Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string",
"Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc",
"Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9",
"Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5",
"1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com",
"mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled",
"https://www.YouTube.com/polebote"
],
"public": 1,
"adversary": "Mustang Panda",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Oxypumper-6900445-0",
"display_name": "Win.Malware.Oxypumper-6900445-0",
"target": null
},
{
"id": "Backdoor:Win32/Plugx",
"display_name": "Backdoor:Win32/Plugx",
"target": "/malware/Backdoor:Win32/Plugx"
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Ransom:Win32/GandCrab.AE",
"display_name": "Ransom:Win32/GandCrab.AE",
"target": "/malware/Ransom:Win32/GandCrab.AE"
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDropper:Win32/Tofsee",
"display_name": "TrojanDropper:Win32/Tofsee",
"target": "/malware/TrojanDropper:Win32/Tofsee"
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1595",
"name": "Active Scanning",
"display_name": "T1595 - Active Scanning"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 71,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 568,
"FileHash-SHA1": 537,
"FileHash-SHA256": 4887,
"URL": 4773,
"domain": 2346,
"hostname": 1884,
"SSLCertFingerprint": 15,
"email": 16,
"CVE": 1
},
"indicator_count": 15027,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 238,
"modified_text": "657 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708e2d7cb4228401888b63",
"name": "possibly a central bank",
"description": "",
"modified": "2023-12-06T15:07:25.990000",
"created": "2023-12-06T15:07:25.990000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 622,
"domain": 2558,
"URL": 4203,
"hostname": 1221,
"CVE": 1
},
"indicator_count": 8605,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708c13ee010f81d3f9b3af",
"name": "Malware hosting - hostrocket.com",
"description": "",
"modified": "2023-12-06T14:58:27.115000",
"created": "2023-12-06T14:58:27.115000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 232,
"hostname": 963,
"domain": 412,
"URL": 2337,
"email": 3,
"FileHash-MD5": 1,
"FileHash-SHA1": 1
},
"indicator_count": 3949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65707fe17dfdfe16066d16de",
"name": "Bexar.org",
"description": "",
"modified": "2023-12-06T14:06:25.800000",
"created": "2023-12-06T14:06:25.800000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1735,
"hostname": 1833,
"domain": 1025,
"URL": 4668,
"email": 4,
"FileHash-MD5": 133,
"FileHash-SHA1": 6,
"CIDR": 5
},
"indicator_count": 9409,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62e1ca167a1591e7b4ca1129",
"name": "VirusTotal view-source on https://www.virustotal.com/en/file/undefined/analysis/",
"description": "someone really needs to figure out wtf this is all doing it has to be part of the net.sh",
"modified": "2022-07-28T02:05:04.183000",
"created": "2022-07-27T23:28:22.504000",
"tags": [
"array",
"object",
"typeof t",
"layer1",
"error",
"path",
"function",
"typeerror",
"date",
"svg export",
"span",
"null",
"unknown",
"click",
"february",
"april",
"june",
"august",
"this",
"void",
"bounce",
"string",
"regexp",
"number",
"sxa0",
"amptoken",
"optout",
"notfound",
"contenttype",
"form",
"copyright",
"element",
"polymer project",
"authors",
"bsd style",
"code",
"google",
"software",
"window",
"generator",
"comment",
"trident",
"typeof e",
"typeof symbol",
"typeof btoa",
"btoa",
"typeof reflect",
"boolean",
"customevent",
"plugin",
"build",
"home",
"intelligence",
"graph",
"report",
"urls",
"please",
"javascript",
"https://www.virustotal.com/en/file/undefined/analysis/",
"net.sh"
],
"references": [
"entity%3Aip%20whois%3Ainfo%40anodicnetwork.com.html",
"14.main.bundle.91f9f7ff635e0b797de3.js",
"5.main.bundle.e92e5e24e074f9c2a52b.js",
"0.main.bundle.a9d68f5204cd3ac257b6.js",
"webcomponent-polyfill.js",
"analytics.js",
"12.main.bundle.50be73a11d1d3745a5ee.js",
"\" Page not found Page not found Page not found