{ "type": "URL", "indicator": "https://v423pop.dns0.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://v423pop.dns0.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4024518507, "indicator": "https://v423pop.dns0.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69ba97dadbd6e4729709fa6d", "name": "pobierz.zip Sygn. akt II K 909/23 oskar clone by arek-BTC", "description": "", "modified": "2026-03-18T12:17:30.176000", "created": "2026-03-18T12:17:30.176000", "tags": [ "typ pliku", "ascii", "sqlite", "tekst", "postscript", "cza typ", "windows", "152 x", "utf8", "dziennik", "sha1", "json", "foxpro fpt", "sha256", "mwdb", "bazar", "sha3384", "crc32 c69b0751", "gboki", "settings", "categories", "default", "toolspanose", "cname", "nova cond", "inprocserver32", "metadata", "lcid1033", "syslcid1033", "light" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "67c44a6e14a21bec8ba63984", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 210, "FileHash-SHA1": 53, "FileHash-SHA256": 599, "hostname": 151, "domain": 23, "URL": 233 }, "indicator_count": 1269, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ebfc921491771b15be63e3", "name": "CnC Spyware | Pegasus Related | Ciberespionage Campaign | Skynet | Samsung | Google | DNS Hijacking", "description": "Presume ser una campa\u00f1a de ciberespionaje orquestada por una organizaci\u00f3n gubernamental, dirigida hacia m\u00faltiples objetivos individuales (civiles) que consideran sospechosos. El software utilizado es similar a Pegasus, Skynet, Graphite para dispositivos Android y Mirai, Emotet, Berbew para dispositivos Linux y Windows. Los \"modus operandi\" abarcan m\u00faltiples tipos de ataques en los que participan ISP's y empresas grandes como Google. La propagaci\u00f3n de malware se realiza a trav\u00e9s de SMS con un enlace que dirige a una web con un exploit de d\u00eda cero, o tambi\u00e9n al abrir un PDF malicioso con las mismas caracter\u00edsticas. La ingenier\u00eda social juega un papel fundamental en este tipo de ataques. El tr\u00e1fico parece ser enmascarado en DNS 8.8.8.8 para no ser detectado.", "modified": "2025-05-05T16:00:41.799000", "created": "2025-04-01T14:47:46.507000", "tags": [ "Government", "Pegasus", "Graphite", "Skynet", "Malware", "Campaign", "Samsung", "Android", "Unix", "Linux", "Browser", "Windows", "Zeroday", "Trojan" ], "references": [], "public": 1, "adversary": "Government", "targeted_countries": [ "Spain", "United States of America" ], "malware_families": [ { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Backdoor:Win32/Mirai", "display_name": "Backdoor:Win32/Mirai", "target": "/malware/Backdoor:Win32/Mirai" }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "TEL:Spyware:AndroidOS/SpyMax", "display_name": "TEL:Spyware:AndroidOS/SpyMax", "target": null }, { "id": "AndroRAT - MOB-S0008", "display_name": "AndroRAT - MOB-S0008", "target": null }, { "id": "Samsung", "display_name": "Samsung", "target": null }, { "id": "GoogleDrive RAT", "display_name": "GoogleDrive RAT", "target": null }, { "id": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "display_name": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "target": null }, { "id": "Backdoor:Win32/DnsDoor", "display_name": "Backdoor:Win32/DnsDoor", "target": "/malware/Backdoor:Win32/DnsDoor" }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:JS/DNSChanger", "display_name": "Trojan:JS/DNSChanger", "target": "/malware/Trojan:JS/DNSChanger" }, { "id": "#PowerShell:EncodedCommand", "display_name": "#PowerShell:EncodedCommand", "target": null }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null } ], "attack_ids": [ { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1076", "name": "Remote Desktop Protocol", "display_name": "T1076 - Remote Desktop Protocol" } ], "industries": [ "Government", "Civil", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "depdgaus", "id": "315837", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3592, "domain": 712, "hostname": 1246, "FileHash-SHA256": 900 }, "indicator_count": 6450, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67d2d1b09fdb8a2e083071eb", "name": "AcroRd32.exe c43c0929e1f9b27dac07d49b0a659e83be4cdb4dfdd709eb7e37a341cd169e87", "description": ".AcroRd32.exe\nPID: 7052, Raport UID: 00000000-00007052\nMD5: 92cbd9454fb7a42c4b0858364a759755\nSHA256:c43c0929e1f9b27dac07d49b0a659e83be4cdb4dfdd709eb7e37a341cd169e87\nhttps://hybrid-analysis.com/sample/c43c0929e1f9b27dac07d49b0a659e83be4cdb4dfdd709eb7e37a341cd169e87\nhttps://www.virustotal.com/gui/file/c43c0929e1f9b27dac07d49b0a659e83be4cdb4dfdd709eb7e37a341cd169e87/behavior", "modified": "2025-04-12T12:00:18.832000", "created": "2025-03-13T12:38:08.952000", "tags": [ "vhash", "authentihash", "rich pe", "ssdeep", "user", "samplepath", "userprofile", "protected mode", "file execution", "classname", "files", "adobe reader", "command", "resolved ips", "dword", "shell", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 6, "FileHash-SHA256": 247, "URL": 484, "hostname": 167, "domain": 23 }, "indicator_count": 942, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c44a6e14a21bec8ba63984", "name": "pobierz.zip Sygn. akt II K 909/23 oskar\u017conego z art. 190 \u00a7 1 k.k. i inne", "description": "Sugerowane identyfikatory ATT&CK:\n7eab0ed0a8a050ad34f71dfd3e2109ff SHA1 c60c3d64cfa19fb1f19eabc656aafdcf12d87dd4 SHA256 3d0f3f98cea613718def2eb9dca707ad57d3d96d4e6b593aca38c8574a578905 [VT] [MWDB] [Bazar] SHA3-384 32d70abaa630d0a8e6237b1df88da306306d27096950469ff7e99d754274e28cfaa0736af43ad55f3d57fc66d9812d4d CRC32 C69B0751 TLSH T1013413B6C8A16CF2D93D2BF2D89A3715DFDAB2C28156C057EB22C09359CE5D817438D8 G\u0142\u0119boki 6144:E8FhrpzjsHyC6DgXapizwbZ8ePb85pNLmih2tC:vrpESCUgX8ikbZ8ePb8J0E", "modified": "2025-04-01T09:03:52.165000", "created": "2025-03-02T12:09:18.878000", "tags": [ "typ pliku", "ascii", "sqlite", "tekst", "postscript", "cza typ", "windows", "152 x", "utf8", "dziennik", "sha1", "json", "foxpro fpt", "sha256", "mwdb", "bazar", "sha3384", "crc32 c69b0751", "gboki", "settings", "categories", "default", "toolspanose", "cname", "nova cond", "inprocserver32", "metadata", "lcid1033", "syslcid1033", "light" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 210, "FileHash-SHA1": 53, "FileHash-SHA256": 599, "hostname": 151, "domain": 23, "URL": 233 }, "indicator_count": 1269, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c3c9bb1edaafe8b41e6fe9", "name": "instrukcja-polaczenia-jitsi---dla-obywatela-v1.4.LNK e4d22d61973fb50ae6236d032ca9cd29cb8e05ccdcc533ada089f61cb192ff5e", "description": "Link target id list\nCLSID_ShellDesktop\nName\nCLSID_ShellDesktop\n CLSID\n20d04fe0-3aea-1069-a2d8-08002b30309d\nZnaczniki iFrame\nZawarto\u015b\u0107 wszystkich znacznik\u00f3w iframe znalezionych w pliku.\nc4a66081d8d55b92a6487767cdd20db98cc609eb36b1a1509e7c2f001c6606bc", "modified": "2025-04-01T02:02:25.113000", "created": "2025-03-02T03:00:11.425000", "tags": [ "rozmiar pliku", "typ pliku", "microsoft word", "sha1", "sha512", "crc32", "gboki", "oszczdno", "vhash", "ssdeep", "k usuga", "uytkownik", "k netsvcs", "s storsvc", "pliki", "w32time c", "sha256", "mitre att", "ck wykonanie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 13, "FileHash-SHA256": 57, "hostname": 10, "URL": 23, "domain": 2 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Government" ], "malware_families": [ "Tel:spyware:androidos/spymax", "Backdoor:win32/mirai", "Backdoor:linux/mirai", "Androrat - mob-s0008", "#powershell:encodedcommand", "#lowfi:hstr:browsermodifier:consentbypass", "Pegasus for android - mob-s0032", "Trojan:js/berbew", "#hstr:hacktool:win32/remoteshell", "Pegasus for android - s0316", "Trojandownloader:linux/mirai", "Alf:backdoor:java/webshell", "Dnspionage", "Backdoor:win32/berbew", "Googledrive rat", "Trojan:js/dnschanger", "Ddos:linux/mirai", "Backdoor:win32/dnsdoor", "Samsung" ], "industries": [ "Government", "Civil", "Healthcare" ], "unique_indicators": 6543 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dns0.org", "whois": "http://whois.domaintools.com/dns0.org", "domain": "dns0.org", "hostname": "v423pop.dns0.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69ba97dadbd6e4729709fa6d", "name": "pobierz.zip Sygn. akt II K 909/23 oskar clone by arek-BTC", "description": "", "modified": "2026-03-18T12:17:30.176000", "created": "2026-03-18T12:17:30.176000", "tags": [ "typ pliku", "ascii", "sqlite", "tekst", "postscript", "cza typ", "windows", "152 x", "utf8", "dziennik", "sha1", "json", "foxpro fpt", "sha256", "mwdb", "bazar", "sha3384", "crc32 c69b0751", "gboki", "settings", "categories", "default", "toolspanose", "cname", "nova cond", "inprocserver32", "metadata", "lcid1033", "syslcid1033", "light" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "67c44a6e14a21bec8ba63984", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 210, "FileHash-SHA1": 53, "FileHash-SHA256": 599, "hostname": 151, "domain": 23, "URL": 233 }, "indicator_count": 1269, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ebfc921491771b15be63e3", "name": "CnC Spyware | Pegasus Related | Ciberespionage Campaign | Skynet | Samsung | Google | DNS Hijacking", "description": "Presume ser una campa\u00f1a de ciberespionaje orquestada por una organizaci\u00f3n gubernamental, dirigida hacia m\u00faltiples objetivos individuales (civiles) que consideran sospechosos. El software utilizado es similar a Pegasus, Skynet, Graphite para dispositivos Android y Mirai, Emotet, Berbew para dispositivos Linux y Windows. Los \"modus operandi\" abarcan m\u00faltiples tipos de ataques en los que participan ISP's y empresas grandes como Google. La propagaci\u00f3n de malware se realiza a trav\u00e9s de SMS con un enlace que dirige a una web con un exploit de d\u00eda cero, o tambi\u00e9n al abrir un PDF malicioso con las mismas caracter\u00edsticas. La ingenier\u00eda social juega un papel fundamental en este tipo de ataques. El tr\u00e1fico parece ser enmascarado en DNS 8.8.8.8 para no ser detectado.", "modified": "2025-05-05T16:00:41.799000", "created": "2025-04-01T14:47:46.507000", "tags": [ "Government", "Pegasus", "Graphite", "Skynet", "Malware", "Campaign", "Samsung", "Android", "Unix", "Linux", "Browser", "Windows", "Zeroday", "Trojan" ], "references": [], "public": 1, "adversary": "Government", "targeted_countries": [ "Spain", "United States of America" ], "malware_families": [ { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Backdoor:Win32/Mirai", "display_name": "Backdoor:Win32/Mirai", "target": "/malware/Backdoor:Win32/Mirai" }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "TEL:Spyware:AndroidOS/SpyMax", "display_name": "TEL:Spyware:AndroidOS/SpyMax", "target": null }, { "id": "AndroRAT - MOB-S0008", "display_name": "AndroRAT - MOB-S0008", "target": null }, { "id": "Samsung", "display_name": "Samsung", "target": null }, { "id": "GoogleDrive RAT", "display_name": "GoogleDrive RAT", "target": null }, { "id": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "display_name": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "target": null }, { "id": "Backdoor:Win32/DnsDoor", "display_name": "Backdoor:Win32/DnsDoor", "target": "/malware/Backdoor:Win32/DnsDoor" }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:JS/DNSChanger", "display_name": "Trojan:JS/DNSChanger", "target": "/malware/Trojan:JS/DNSChanger" }, { "id": "#PowerShell:EncodedCommand", "display_name": "#PowerShell:EncodedCommand", "target": null }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null } ], "attack_ids": [ { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1076", "name": "Remote Desktop Protocol", "display_name": "T1076 - Remote Desktop Protocol" } ], "industries": [ "Government", "Civil", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "depdgaus", "id": "315837", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3592, "domain": 712, "hostname": 1246, "FileHash-SHA256": 900 }, "indicator_count": 6450, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67d2d1b09fdb8a2e083071eb", "name": "AcroRd32.exe c43c0929e1f9b27dac07d49b0a659e83be4cdb4dfdd709eb7e37a341cd169e87", "description": ".AcroRd32.exe\nPID: 7052, Raport UID: 00000000-00007052\nMD5: 92cbd9454fb7a42c4b0858364a759755\nSHA256:c43c0929e1f9b27dac07d49b0a659e83be4cdb4dfdd709eb7e37a341cd169e87\nhttps://hybrid-analysis.com/sample/c43c0929e1f9b27dac07d49b0a659e83be4cdb4dfdd709eb7e37a341cd169e87\nhttps://www.virustotal.com/gui/file/c43c0929e1f9b27dac07d49b0a659e83be4cdb4dfdd709eb7e37a341cd169e87/behavior", "modified": "2025-04-12T12:00:18.832000", "created": "2025-03-13T12:38:08.952000", "tags": [ "vhash", "authentihash", "rich pe", "ssdeep", "user", "samplepath", "userprofile", "protected mode", "file execution", "classname", "files", "adobe reader", "command", "resolved ips", "dword", "shell", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 6, "FileHash-SHA256": 247, "URL": 484, "hostname": 167, "domain": 23 }, "indicator_count": 942, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c44a6e14a21bec8ba63984", "name": "pobierz.zip Sygn. akt II K 909/23 oskar\u017conego z art. 190 \u00a7 1 k.k. i inne", "description": "Sugerowane identyfikatory ATT&CK:\n7eab0ed0a8a050ad34f71dfd3e2109ff SHA1 c60c3d64cfa19fb1f19eabc656aafdcf12d87dd4 SHA256 3d0f3f98cea613718def2eb9dca707ad57d3d96d4e6b593aca38c8574a578905 [VT] [MWDB] [Bazar] SHA3-384 32d70abaa630d0a8e6237b1df88da306306d27096950469ff7e99d754274e28cfaa0736af43ad55f3d57fc66d9812d4d CRC32 C69B0751 TLSH T1013413B6C8A16CF2D93D2BF2D89A3715DFDAB2C28156C057EB22C09359CE5D817438D8 G\u0142\u0119boki 6144:E8FhrpzjsHyC6DgXapizwbZ8ePb85pNLmih2tC:vrpESCUgX8ikbZ8ePb8J0E", "modified": "2025-04-01T09:03:52.165000", "created": "2025-03-02T12:09:18.878000", "tags": [ "typ pliku", "ascii", "sqlite", "tekst", "postscript", "cza typ", "windows", "152 x", "utf8", "dziennik", "sha1", "json", "foxpro fpt", "sha256", "mwdb", "bazar", "sha3384", "crc32 c69b0751", "gboki", "settings", "categories", "default", "toolspanose", "cname", "nova cond", "inprocserver32", "metadata", "lcid1033", "syslcid1033", "light" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 210, "FileHash-SHA1": 53, "FileHash-SHA256": 599, "hostname": 151, "domain": 23, "URL": 233 }, "indicator_count": 1269, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c3c9bb1edaafe8b41e6fe9", "name": "instrukcja-polaczenia-jitsi---dla-obywatela-v1.4.LNK e4d22d61973fb50ae6236d032ca9cd29cb8e05ccdcc533ada089f61cb192ff5e", "description": "Link target id list\nCLSID_ShellDesktop\nName\nCLSID_ShellDesktop\n CLSID\n20d04fe0-3aea-1069-a2d8-08002b30309d\nZnaczniki iFrame\nZawarto\u015b\u0107 wszystkich znacznik\u00f3w iframe znalezionych w pliku.\nc4a66081d8d55b92a6487767cdd20db98cc609eb36b1a1509e7c2f001c6606bc", "modified": "2025-04-01T02:02:25.113000", "created": "2025-03-02T03:00:11.425000", "tags": [ "rozmiar pliku", "typ pliku", "microsoft word", "sha1", "sha512", "crc32", "gboki", "oszczdno", "vhash", "ssdeep", "k usuga", "uytkownik", "k netsvcs", "s storsvc", "pliki", "w32time c", "sha256", "mitre att", "ck wykonanie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 13, "FileHash-SHA256": 57, "hostname": 10, "URL": 23, "domain": 2 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://v423pop.dns0.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://v423pop.dns0.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780358830.4782412 }