{ "type": "URL", "indicator": "https://urlscanner.io/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://urlscanner.io/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4094923471, "indicator": "https://urlscanner.io/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6876e1e75949dfc0fe3c7875", "name": "Potentially ICARUS, Strange redirect from urlscan.io to 103.224.212.210", "description": "The \u201cPotentially ICARUS\u201d threat hunt focuses on identifying a highly capable and persistent malware strain exhibiting a broad range of tactics and behaviors. This threat shows hallmarks of a multi-purpose implant or a modular malware framework. With confirmed classifications as adware, bootkit, trojan, stealer, and spyware, the sample uses layered techniques for persistence, evasion, discovery, and privilege escalation.\nPersistence Techniques\n\nThis hunt aims to uncover infection vectors, malicious registry keys, dropped binaries, and behavioral indicators across the environment, with a focus on detecting early execution, data exfiltration mechanisms, and evasion patterns consistent with the ICARUS threat profile.", "modified": "2025-08-22T05:03:46.995000", "created": "2025-07-15T23:19:02.845000", "tags": [ "potentially", "icarus", "setup", "session manager", "com hijacking", "task scheduler", "com api", "image file", "ifeo", "master boot", "aqb1", "ndh1", "s1280x720", "aqe1", "qclienttypeweb", "p11752710011", "p2404", "p4eqyyz1w", "AvEmUpdate.exe", "afwServ.exe", "icarus.exe", "AvLaunch.exe", "avast_free_antivirus_online_setup.exe", "AvastBrowser.exe", "RegSvr.exe", "msiexec.exe", "msedge.exe", "wsc_proxy.exe", "overseer.exe", "setup.exe", "undefined", "Zeppelin_10", "ConventionEngine_Anomaly_MultiPDB_Double", "RansomWin32Apollo", "Win.Exploit.CVE_2019_0803-6976664-0", "Trojan.Penguish.an", "Win.Dropper.Sykipot-9950506-0", "" ], "references": [ "AvastBrowserUpdate.exe", "update.avastbrowser.com", "icarus.exe", "icarus.exe", "honzik.avcdn.net", "branding.avast.com", "branding.avast.com", "honzik.avcdn.net", "branding.avast.com", "honzik.avcdn.net", "AvastBrowserUpdate.exe", "update.avastbrowser.com", "172.66.175.47", "AvastBrowserUpdate.exe", "update.avastbrowser.com", "172.66.175.47", "update.avastbrowser.com", "172.66.175.47", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "icarus.exe", "AvastBrowserUpdate.exe", "C:\\Windows\\system32\\aswBoot.exe", "C:\\Windows\\system32\\aswBoot.exe", "C:\\Windows\\system32\\aswBoot.exe", "https://tria.ge/250717-z7b8kssly4", "https://tria.ge/250717-zt5yqsbp8z/behavioral1", "https://tria.ge/250715-xd58fsysc1", "https://tria.ge/250717-zt5yqsbp8z", "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0803", "https://hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1547.014", "name": "Active Setup", "display_name": "T1547.014 - Active Setup" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1546.012", "name": "Image File Execution Options Injection", "display_name": "T1546.012 - Image File Execution Options Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [ "Cyber Security and Networking" ], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 165, "domain": 65, "hostname": 57, "FileHash-MD5": 4197, "FileHash-SHA256": 4117, "FileHash-SHA1": 4092 }, "indicator_count": 12693, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://tria.ge/250717-zt5yqsbp8z", "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0803", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "C:\\Windows\\system32\\aswBoot.exe", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "https://tria.ge/250717-zt5yqsbp8z/behavioral1", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "honzik.avcdn.net", "branding.avast.com", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "AvastBrowserUpdate.exe", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "https://tria.ge/250715-xd58fsysc1", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "icarus.exe", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "https://hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/", "https://tria.ge/250717-z7b8kssly4", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "update.avastbrowser.com", "172.66.175.47" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Cyber security and networking" ], "unique_indicators": 6437 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/urlscanner.io", "whois": "http://whois.domaintools.com/urlscanner.io", "domain": "urlscanner.io", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6876e1e75949dfc0fe3c7875", "name": "Potentially ICARUS, Strange redirect from urlscan.io to 103.224.212.210", "description": "The \u201cPotentially ICARUS\u201d threat hunt focuses on identifying a highly capable and persistent malware strain exhibiting a broad range of tactics and behaviors. This threat shows hallmarks of a multi-purpose implant or a modular malware framework. With confirmed classifications as adware, bootkit, trojan, stealer, and spyware, the sample uses layered techniques for persistence, evasion, discovery, and privilege escalation.\nPersistence Techniques\n\nThis hunt aims to uncover infection vectors, malicious registry keys, dropped binaries, and behavioral indicators across the environment, with a focus on detecting early execution, data exfiltration mechanisms, and evasion patterns consistent with the ICARUS threat profile.", "modified": "2025-08-22T05:03:46.995000", "created": "2025-07-15T23:19:02.845000", "tags": [ "potentially", "icarus", "setup", "session manager", "com hijacking", "task scheduler", "com api", "image file", "ifeo", "master boot", "aqb1", "ndh1", "s1280x720", "aqe1", "qclienttypeweb", "p11752710011", "p2404", "p4eqyyz1w", "AvEmUpdate.exe", "afwServ.exe", "icarus.exe", "AvLaunch.exe", "avast_free_antivirus_online_setup.exe", "AvastBrowser.exe", "RegSvr.exe", "msiexec.exe", "msedge.exe", "wsc_proxy.exe", "overseer.exe", "setup.exe", "undefined", "Zeppelin_10", "ConventionEngine_Anomaly_MultiPDB_Double", "RansomWin32Apollo", "Win.Exploit.CVE_2019_0803-6976664-0", "Trojan.Penguish.an", "Win.Dropper.Sykipot-9950506-0", "" ], "references": [ "AvastBrowserUpdate.exe", "update.avastbrowser.com", "icarus.exe", "icarus.exe", "honzik.avcdn.net", "branding.avast.com", "branding.avast.com", "honzik.avcdn.net", "branding.avast.com", "honzik.avcdn.net", "AvastBrowserUpdate.exe", "update.avastbrowser.com", "172.66.175.47", "AvastBrowserUpdate.exe", "update.avastbrowser.com", "172.66.175.47", "update.avastbrowser.com", "172.66.175.47", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "icarus.exe", "AvastBrowserUpdate.exe", "C:\\Windows\\system32\\aswBoot.exe", "C:\\Windows\\system32\\aswBoot.exe", "C:\\Windows\\system32\\aswBoot.exe", "https://tria.ge/250717-z7b8kssly4", "https://tria.ge/250717-zt5yqsbp8z/behavioral1", "https://tria.ge/250715-xd58fsysc1", "https://tria.ge/250717-zt5yqsbp8z", "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0803", "https://hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1547.014", "name": "Active Setup", "display_name": "T1547.014 - Active Setup" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1546.012", "name": "Image File Execution Options Injection", "display_name": "T1546.012 - Image File Execution Options Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [ "Cyber Security and Networking" ], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 165, "domain": 65, "hostname": 57, "FileHash-MD5": 4197, "FileHash-SHA256": 4117, "FileHash-SHA1": 4092 }, "indicator_count": 12693, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://urlscanner.io/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://urlscanner.io/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780246298.6374915 }