{ "type": "URL", "indicator": "https://w3-reporting.reddit.com/reports", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://w3-reporting.reddit.com/reports", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #20", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #284", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain reddit.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain reddit.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3808658256, "indicator": "https://w3-reporting.reddit.com/reports", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6a101b839df4493da69621a2", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-25T21:25:42.679000", "created": "2026-05-22T09:01:55.489000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1647, "IPv4": 146, "URL": 826, "hostname": 769, "domain": 396, "email": 7, "IPv6": 2, "Mutex": 1 }, "indicator_count": 3951, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6758a748b4cd306ce7d85958", "name": "Report - ualberta.ca - URL Query & Malcore 02.12.25", "description": "https://urlquery.net/report/d314b7e6-00c8-41ad-b723-adf06dc95b92\n\nhttps://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe", "modified": "2025-03-14T23:00:12.988000", "created": "2024-12-10T20:40:40.798000", "tags": [ "url", "sandbox", "scanner", "reputation", "phishing", "malware", "http2", "linux x8664", "accept", "expirestue", "gmt file", "url get", "fingerprint", "http headers", "hash", "size", "path", "date", "write", "june", "UAlberta" ], "references": [ "https://urlquery.net/report/d314b7e6-00c8-41ad-b723-adf06dc95b92", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 105, "FileHash-SHA256": 106, "SSLCertFingerprint": 13, "URL": 214, "domain": 17, "hostname": 120 }, "indicator_count": 689, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "443 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "thecomments.app", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "https://www.reddit.com/user/", "ddos.dnsnb8.net [command_and_control]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "104.86.182.8 [command_and_control]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "nr-data.net [Apple Private Data Collection]", "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "www.jamesbgriffinlaw.com (toolbox)", "Gowi Live Bot.exe", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "www.supernetforme.com [command_and_control]", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "86.140.232.148 [scanning_host]", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "tulach.cc [AM | phishing]", "103.224.182.253 [command_and_control]", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe", "72.167.124.187 [phishing]", "3.163.189.120 [Tracking]", "http://www.sheraises.com/wcur/ [phishing]", "https://www.mccormick-designs.com", "applephonenw.com [governmentattic]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "rp.downloadastrocdn.com [command_and_control]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "https://urlquery.net/report/d314b7e6-00c8-41ad-b723-adf06dc95b92", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "http://mcbut.live (Not present? Absent today - unexcused)", "https://tulach.cc/ [phishing attacks]", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "103.224.182.246 [command_and_control]", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "checkip.dyndns.org [command_and_control]", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Artro", "Malware", "Win.trojan", "#lowfi:hstr:win32/airinstaller.b", "Trojanspy:win32/nivdort", "Trojandownloader:win32/upatre.o", "Nsis", "Win.trojan.zbot-64721", "Tulach malware", "Alf:jasyp:trojandownloader:win32/startpage!atmn", "Static ai - malicious pe", "Win.dropper.remcos-9970861-0", "Win32:malware-gen", "Ransom:win32/teerac.a", "Trojandownloader:win32/upatre", "Agent tesla", "Trojan:win32/neconyd.a", "Alf:heraklezeval:pua:win32/imali", "Win.trojan.airinstall-1", "Am", "Virtool:win32/injector.gen!bq", "Win.trojan.nsis-41", "Honeypot", "Adware.pcappstore/veryfast" ], "industries": [ "Technology", "Telecommunications", "Education", "Government" ], "unique_indicators": 34390 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/reddit.com", "whois": "http://whois.domaintools.com/reddit.com", "domain": "reddit.com", "hostname": "w3-reporting.reddit.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6a101b839df4493da69621a2", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-25T21:25:42.679000", "created": "2026-05-22T09:01:55.489000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1647, "IPv4": 146, "URL": 826, "hostname": 769, "domain": 396, "email": 7, "IPv6": 2, "Mutex": 1 }, "indicator_count": 3951, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6758a748b4cd306ce7d85958", "name": "Report - ualberta.ca - URL Query & Malcore 02.12.25", "description": "https://urlquery.net/report/d314b7e6-00c8-41ad-b723-adf06dc95b92\n\nhttps://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe", "modified": "2025-03-14T23:00:12.988000", "created": "2024-12-10T20:40:40.798000", "tags": [ "url", "sandbox", "scanner", "reputation", "phishing", "malware", "http2", "linux x8664", "accept", "expirestue", "gmt file", "url get", "fingerprint", "http headers", "hash", "size", "path", "date", "write", "june", "UAlberta" ], "references": [ "https://urlquery.net/report/d314b7e6-00c8-41ad-b723-adf06dc95b92", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 105, "FileHash-SHA256": 106, "SSLCertFingerprint": 13, "URL": 214, "domain": 17, "hostname": 120 }, "indicator_count": 689, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "443 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://w3-reporting.reddit.com/reports", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://w3-reporting.reddit.com/reports", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780271323.1381178 }