{
"type": "URL",
"indicator": "https://webadmin.freeje.org",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://webadmin.freeje.org",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4166206466,
"indicator": "https://webadmin.freeje.org",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 8,
"pulses": [
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d68050bbd9e2f701875e2d",
"name": "Mirai [ Combined MSUDOSOS & Q.Vashti Pulses) of IoC\u2019s by attacker Christopher P. Ahmann",
"description": "I came across \u2018The Belasco Chain\u2019 by MSUDOOS while sourcing for an IoC from one of my earlier pulses. A recommended albeit disturbing \u2018good\u2019 read. The researcher / writer MSUDOOS acknowledges the work of a stealth hacker team. Appreciable observations, very well researched , discriminating writing style. \n\nI would encourage anyone to review the pulse by MSUDOSOS; found in references.\n\nI\u2019ve tried to gain insight into whether this researcher is a group of researchers. I receive alerts with insightful Pulses multiple times per 24 hour period. If so, this is a very effective way to research. \n#mirai #dark_reads\n#you_don\u2019t_have_to_slap_me_twice",
"modified": "2026-04-08T16:20:32.277000",
"created": "2026-04-08T16:20:32.277000",
"tags": [
"compromised_site_redirector_fromcharcode",
"malware",
"ids detections",
"yara detections",
"alerts",
"mirai",
"active",
"trojan",
"elf"
],
"references": [
"IoC\u2019s from Q.Vashti & MSUDOOS pulses",
"The Belasco Chain by MSUDOOS",
"Please review pulse by MSUDOSOS! Read this spine tingling Pulse. Subscribe. Hate or love it ,knowledge bank found here.",
"https://otx.alienvault.com/pulse/69a02837827feb0b78fa3ad2"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 27,
"FileHash-SHA1": 26,
"FileHash-SHA256": 53,
"IPv4": 1,
"domain": 23,
"hostname": 51,
"URL": 75
},
"indicator_count": 256,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698e906da16336f8e87c3b90",
"name": "CoinHive Clone ",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-13T02:46:05.544000",
"tags": [
"united",
"td tr",
"a domains",
"history group",
"state",
"b td",
"present sep",
"find",
"alabama",
"iowa",
"apache",
"content type",
"passive dns",
"meta http",
"content",
"gmt server",
"pragma",
"title",
"linksys eseries",
"device rce",
"inbound",
"et exploit",
"attempt",
"et webserver",
"suspicious user",
"user agent",
"et worm",
"policy python",
"python",
"agent",
"generic",
"malware",
"nids",
"dst_ip",
"\"sid\": 2017515,",
"2020/08/23",
"dst_port\": 8080",
"suricata",
"network_icmp",
"tcp_syn_scan",
"unix",
"mirai",
"infection",
"port 8080",
"aitm",
"mitm",
"xfinity",
"lumen backbone",
"xfinity cf",
"et info",
"useragent",
"webserver",
"android",
"linux",
"statistically stripped",
"local",
"Jefferson County",
"Colorado",
"State",
"is__elf",
"is__war",
"cyber warfare",
"marking",
"targeting",
"stalking",
"impersonating",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"defense evasion",
"mitre att",
"ck matrix",
"february",
"hybrid",
"general",
"path",
"encrypt",
"click",
"strings",
"attack",
"ssl certificate",
"ascii text",
"dynamicloader",
"yara rule",
"ff d5",
"medium",
"high",
"eb d8",
"f0 ff",
"ff bb",
"host",
"unknown",
"explorer",
"virtool",
"write",
"next",
"Douglas County",
"Michael Roberts",
"Brian Sabey",
"Chris\u2019Buzz\u2019 Ahmann",
"Mirai BotMaster",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"date march",
"am size",
"imphash",
"otx logo",
"all filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"moved",
"urls",
"expiration date",
"all hostname",
"files",
"media",
"present feb",
"present jan",
"present dec",
"present nov",
"ip address",
"present",
"codex",
"sf.net",
"next associated",
"ipv4 add",
"location united",
"america flag",
"spawns",
"found",
"t1480 execution",
"pattern match",
"present aug",
"search",
"name servers",
"showing",
"record value",
"meta",
"accept",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"denver",
"yandex",
"post",
"entries",
"post http",
"show",
"post liquor",
"execution",
"port",
"destination",
"icmp traffic",
"dns query",
"include",
"top source"
],
"references": [
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"genealogytrails.com",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Has been present throughout a specific campaign",
"Mirai",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"TCP SYN packets were observed",
"ET WORM TheMoon.linksys.router",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7646352-0",
"display_name": "Unix.Trojan.Mirai-7646352-0",
"target": null
},
{
"id": "SpyFu",
"display_name": "SpyFu",
"target": null
},
{
"id": "Win.Trojan.VB-83922",
"display_name": "Win.Trojan.VB-83922",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen!JB",
"display_name": "virtool:Win32/VBInject.gen!JB",
"target": "/malware/virtool:Win32/VBInject.gen!JB"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "698966742c9fd9691396bb3a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5836,
"domain": 857,
"FileHash-MD5": 185,
"FileHash-SHA1": 147,
"hostname": 1842,
"email": 7,
"FileHash-SHA256": 947,
"CVE": 43,
"SSLCertFingerprint": 8
},
"indicator_count": 9872,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698966742c9fd9691396bb3a",
"name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM",
"description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.",
"modified": "2026-03-11T04:02:50.189000",
"created": "2026-02-09T04:45:40.250000",
"tags": [
"united",
"td tr",
"a domains",
"history group",
"state",
"b td",
"present sep",
"find",
"alabama",
"iowa",
"apache",
"content type",
"passive dns",
"meta http",
"content",
"gmt server",
"pragma",
"title",
"linksys eseries",
"device rce",
"inbound",
"et exploit",
"attempt",
"et webserver",
"suspicious user",
"user agent",
"et worm",
"policy python",
"python",
"agent",
"generic",
"malware",
"nids",
"dst_ip",
"\"sid\": 2017515,",
"2020/08/23",
"dst_port\": 8080",
"suricata",
"network_icmp",
"tcp_syn_scan",
"unix",
"mirai",
"infection",
"port 8080",
"aitm",
"mitm",
"xfinity",
"lumen backbone",
"xfinity cf",
"et info",
"useragent",
"webserver",
"android",
"linux",
"statistically stripped",
"local",
"Jefferson County",
"Colorado",
"State",
"is__elf",
"is__war",
"cyber warfare",
"marking",
"targeting",
"stalking",
"impersonating",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"defense evasion",
"mitre att",
"ck matrix",
"february",
"hybrid",
"general",
"path",
"encrypt",
"click",
"strings",
"attack",
"ssl certificate",
"ascii text",
"dynamicloader",
"yara rule",
"ff d5",
"medium",
"high",
"eb d8",
"f0 ff",
"ff bb",
"host",
"unknown",
"explorer",
"virtool",
"write",
"next",
"Douglas County",
"Michael Roberts",
"Brian Sabey",
"Chris\u2019Buzz\u2019 Ahmann",
"Mirai BotMaster",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"date march",
"am size",
"imphash",
"otx logo",
"all filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"moved",
"urls",
"expiration date",
"all hostname",
"files",
"media",
"present feb",
"present jan",
"present dec",
"present nov",
"ip address",
"present",
"codex",
"sf.net",
"next associated",
"ipv4 add",
"location united",
"america flag",
"spawns",
"found",
"t1480 execution",
"pattern match",
"present aug",
"search",
"name servers",
"showing",
"record value",
"meta",
"accept",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"denver",
"yandex",
"post",
"entries",
"post http",
"show",
"post liquor",
"execution",
"port",
"destination",
"icmp traffic",
"dns query",
"include",
"top source"
],
"references": [
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"genealogytrails.com",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Has been present throughout a specific campaign",
"Mirai",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"TCP SYN packets were observed",
"ET WORM TheMoon.linksys.router",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7646352-0",
"display_name": "Unix.Trojan.Mirai-7646352-0",
"target": null
},
{
"id": "SpyFu",
"display_name": "SpyFu",
"target": null
},
{
"id": "Win.Trojan.VB-83922",
"display_name": "Win.Trojan.VB-83922",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen!JB",
"display_name": "virtool:Win32/VBInject.gen!JB",
"target": "/malware/virtool:Win32/VBInject.gen!JB"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5779,
"domain": 730,
"FileHash-MD5": 185,
"FileHash-SHA1": 147,
"hostname": 1790,
"email": 5,
"FileHash-SHA256": 947,
"CVE": 3,
"SSLCertFingerprint": 8
},
"indicator_count": 9594,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "39 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6967bc8b26b69d4dc2604a13",
"name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT",
"description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.",
"modified": "2026-02-13T15:04:30.631000",
"created": "2026-01-14T15:55:55.693000",
"tags": [
"v2rayalpha",
"united",
"unknown ns",
"unknown aaaa",
"domain add",
"urls",
"files",
"domain",
"github",
"file format",
"jkvpn",
"jointelegram",
"farahvpn vless",
"post",
"universal",
"scribd",
"typews",
"telegram",
"rdap",
"handle",
"iana registrar",
"roles",
"dnssec",
"aaaa",
"ttl value",
"rdap database",
"links",
"backdoor",
"antigua",
"virgin islands",
"status",
"org domains",
"proxy",
"ip address",
"barbuda unknown",
"passive dns",
"ipv4 add",
"twitter",
"dynamicloader",
"port",
"delete c",
"destination",
"high",
"windows",
"medium",
"displayname",
"write",
"tofsee",
"stream",
"malware",
"push",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"evasion att",
"sha256",
"sha1",
"pattern match",
"ascii text",
"href",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"search",
"moved",
"record value",
"servers",
"title",
"encrypt",
"canada unknown",
"gmt content",
"reverse dns",
"location canada",
"canada asn",
"accept",
"cookie",
"dll read",
"function read",
"wscriptshell",
"shortcut",
"guard",
"error",
"present jan",
"name servers",
"registrar url",
"hong kong",
"invalid url",
"url analysis",
"location hong",
"kong flag",
"msie",
"chrome",
"type",
"media type",
"certificate",
"hostname add",
"present nov",
"present sep",
"present oct",
"expiration date",
"present dec",
"script urls",
"a domains",
"present mar",
"present feb",
"meta",
"show",
"read c",
"entries",
"read",
"intel",
"ms windows",
"delete",
"please",
"artemis",
"virustotal",
"trojan",
"mcafee",
"drweb",
"vipre",
"panda",
"write c",
"total",
"next associated",
"thursday",
"gmt cache",
"ipv4",
"form",
"date",
"mirai",
"telnet login",
"south korea",
"bad login",
"as4766 korea",
"taiwan as3462",
"china as45090",
"telnet root",
"cve201717215",
"execution",
"copy",
"contacted",
"mtb ids",
"dns query",
"variant cnc",
"domain huawei",
"remote command",
"huawei remote",
"echobot",
"linux mirai",
"monitoring",
"cnc"
],
"references": [
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"https://t.me/",
"Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Contacted: newmethcnc.duckdns.org",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"https://eurotarget.com/it/auto/toyota/c-hr/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Malware.Reline-9887776-0",
"display_name": "Win.Malware.Reline-9887776-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.N!MTB",
"display_name": "Backdoor:Linux/Mirai.N!MTB",
"target": "/malware/Backdoor:Linux/Mirai.N!MTB"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1399",
"name": "Modify Trusted Execution Environment",
"display_name": "T1399 - Modify Trusted Execution Environment"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1011.001",
"name": "Exfiltration Over Bluetooth",
"display_name": "T1011.001 - Exfiltration Over Bluetooth"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6227,
"domain": 1437,
"hostname": 2331,
"email": 8,
"FileHash-SHA256": 3252,
"FileHash-MD5": 465,
"FileHash-SHA1": 457,
"CIDR": 1,
"CVE": 3
},
"indicator_count": 14181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6958780c8479a9d69920c3d8",
"name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack",
"description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.",
"modified": "2026-02-02T01:02:46.327000",
"created": "2026-01-03T01:59:40.530000",
"tags": [
"united",
"moved",
"title",
"passive dns",
"ipv4 add",
"urls",
"files",
"hosting",
"reverse dns",
"location united",
"hash avast",
"avg clamav",
"msdefender mar",
"read c",
"create c",
"medium",
"search",
"memcommit",
"high",
"checks",
"windows",
"execution",
"dock",
"write",
"persistence",
"capture",
"local",
"ref b",
"wed may",
"backdoor",
"mtb aug",
"next associated",
"mtb dec",
"twitter",
"smoke loader",
"malware",
"virtool",
"hacktool",
"data upload",
"present dec",
"mtb apr",
"win32",
"trojan",
"worm",
"lowfi",
"cybota",
"expiration date",
"name servers",
"ipv4",
"url analysis",
"port",
"destination",
"telnet login",
"bad login",
"gpl telnet",
"suspicious path",
"busybox",
"tcp syn",
"et telnet",
"path",
"mirai",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"america",
"ck id",
"name tactics",
"suspicious",
"informative",
"learn",
"t1179 hooking",
"installs",
"t1035 service",
"adversaries",
"msie",
"windows nt",
"slcc2",
"media center",
"y013",
"flag",
"span",
"accept",
"core",
"february",
"hybrid",
"malicious",
"general",
"click",
"strings",
"roboto",
"next",
"usa windows",
"finished",
"queueprogress",
"timestamp input",
"threat level",
"october",
"september",
"hwp support",
"fresh",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"programfiles",
"comspec",
"model",
"iframe",
"form",
"listeners",
"initial access",
"t1590 gather",
"victim network",
"ssl certificate",
"quasi government",
"jeffrey reimer",
"palantir",
"Regis university",
"otx hp",
"apple",
"pegasus",
"h5 data center",
"florence colorado",
"brian sabey",
"target : Tsara Brasheaers",
"aig",
"industry and commerce",
"united states",
"State of Colorado.",
"date",
"status",
"domain",
"hostname add",
"pulse pulses",
"files ip",
"address",
"url https",
"url http",
"hostname",
"show",
"type indicator",
"source hostname",
"entries",
"Prometheus Intelligence Technology",
"pulse submit",
"america flag",
"body",
"dynamicloader",
"microsoft azure",
"tls issuing",
"named pipe",
"json",
"ascii text",
"lredmond",
"Apple",
"Telnet",
"BusyBox",
"Pegasus",
"Colorado State Fixer: Christopher P. Ahmann",
"Hijacker: Brian Sabey",
"For: Concentra",
"Protecting Assaulter: Jeffrey Reimer",
"For: AIG",
"For Industry and Commerce",
"For: Quasi Government",
"For: Workers Compensation",
"Authorities",
"Law Enforcement Dark",
"Silencing",
"Tampering with a Victim",
"Meta",
"Palantir",
"Google",
"Bing",
"Microsoft",
"ColoCrossing",
"Associates",
"hit men"
],
"references": [
"ET Telnet | https://www.colocrossing.com | velocity servers",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"Yara Detections is__elf",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"https://www.colocrossing.com/",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"104.21.51.140, 172.67.181.41",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"This is hard to comprehend or put into indelible words."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "HackTool:MSIL/Boilod.C!bit",
"display_name": "HackTool:MSIL/Boilod.C!bit",
"target": "/malware/HackTool:MSIL/Boilod.C!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1204.002",
"name": "Malicious File",
"display_name": "T1204.002 - Malicious File"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Technology",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6390,
"domain": 723,
"hostname": 1978,
"FileHash-SHA256": 1912,
"FileHash-MD5": 410,
"FileHash-SHA1": 306,
"email": 3,
"SSLCertFingerprint": 28,
"CVE": 3
},
"indicator_count": 11753,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "76 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"BinBusyBox: 0x.un5t48l3.host",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://otx.alienvault.com/pulse/69a02837827feb0b78fa3ad2",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"https://eurotarget.com/it/auto/toyota/c-hr/",
"Yara Detections is__elf",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"ET Telnet | https://www.colocrossing.com | velocity servers",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"TCP SYN packets were observed",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"Colorado maintains a public-facing police misconduct database via the state's",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"Has been present throughout a specific campaign",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"Win32/Tofsee.AX google.com connectivity check",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"https://therahand.com",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"ET WORM TheMoon.linksys.router",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"This is hard to comprehend or put into indelible words.",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"www.socialimages.reputationdatabase.com",
"The Belasco Chain by MSUDOOS",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"https://pamchall.com/Telegram@V2ray_Alpha/",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"AS24961 MyLoc Managed IT AG",
"https://www.red-gate.com/products/smartassembly",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"Mirai",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Contacted: newmethcnc.duckdns.org",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com",
"https://t.me/",
"https://www.colocrossing.com/",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"Please review pulse by MSUDOSOS! Read this spine tingling Pulse. Subscribe. Hate or love it ,knowledge bank found here.",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"IoC\u2019s from Q.Vashti & MSUDOOS pulses",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"genealogytrails.com",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"104.21.51.140, 172.67.181.41",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Yara Detections: Cabinet_Archive , SFX_CAB"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"NSO Pegasus"
],
"malware_families": [
"Unix.trojan.darknexus-7679166-0",
"Win.trojan.vb-83922",
"Et",
"Mirai (elf)",
"Unix.trojan.mirai-7646352-0",
"Unix.trojan.mirai-5607483-0",
"Win.trojan.agent-306281",
"Pegasus",
"Elf:gafgyt-dz\\ [trj]",
"Hacktool:msil/boilod.c!bit",
"Nids",
"Fakeav.for",
"Backdoor:linux/mirai.n!mtb",
"Mirai",
"Win.malware.reline-9887776-0",
"Virtool:win32/obfuscator.ki",
"Other:malware-gen\\ [trj]",
"Win32:malob-db\\ [cryp]",
"Spyfu",
"Elf:mirai-gh\\ [trj]",
"Virtool:win32/vbinject.gen!jb",
"Other malware",
"Backdoor:win32/tofsee.t"
],
"industries": [
"Technology",
"Telecom",
"Healthcare",
"Civil society",
"Insurance"
],
"unique_indicators": 56239
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/freeje.org",
"whois": "http://whois.domaintools.com/freeje.org",
"domain": "freeje.org",
"hostname": "webadmin.freeje.org"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 8,
"pulses": [
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d68050bbd9e2f701875e2d",
"name": "Mirai [ Combined MSUDOSOS & Q.Vashti Pulses) of IoC\u2019s by attacker Christopher P. Ahmann",
"description": "I came across \u2018The Belasco Chain\u2019 by MSUDOOS while sourcing for an IoC from one of my earlier pulses. A recommended albeit disturbing \u2018good\u2019 read. The researcher / writer MSUDOOS acknowledges the work of a stealth hacker team. Appreciable observations, very well researched , discriminating writing style. \n\nI would encourage anyone to review the pulse by MSUDOSOS; found in references.\n\nI\u2019ve tried to gain insight into whether this researcher is a group of researchers. I receive alerts with insightful Pulses multiple times per 24 hour period. If so, this is a very effective way to research. \n#mirai #dark_reads\n#you_don\u2019t_have_to_slap_me_twice",
"modified": "2026-04-08T16:20:32.277000",
"created": "2026-04-08T16:20:32.277000",
"tags": [
"compromised_site_redirector_fromcharcode",
"malware",
"ids detections",
"yara detections",
"alerts",
"mirai",
"active",
"trojan",
"elf"
],
"references": [
"IoC\u2019s from Q.Vashti & MSUDOOS pulses",
"The Belasco Chain by MSUDOOS",
"Please review pulse by MSUDOSOS! Read this spine tingling Pulse. Subscribe. Hate or love it ,knowledge bank found here.",
"https://otx.alienvault.com/pulse/69a02837827feb0b78fa3ad2"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 27,
"FileHash-SHA1": 26,
"FileHash-SHA256": 53,
"IPv4": 1,
"domain": 23,
"hostname": 51,
"URL": 75
},
"indicator_count": 256,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698e906da16336f8e87c3b90",
"name": "CoinHive Clone ",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-13T02:46:05.544000",
"tags": [
"united",
"td tr",
"a domains",
"history group",
"state",
"b td",
"present sep",
"find",
"alabama",
"iowa",
"apache",
"content type",
"passive dns",
"meta http",
"content",
"gmt server",
"pragma",
"title",
"linksys eseries",
"device rce",
"inbound",
"et exploit",
"attempt",
"et webserver",
"suspicious user",
"user agent",
"et worm",
"policy python",
"python",
"agent",
"generic",
"malware",
"nids",
"dst_ip",
"\"sid\": 2017515,",
"2020/08/23",
"dst_port\": 8080",
"suricata",
"network_icmp",
"tcp_syn_scan",
"unix",
"mirai",
"infection",
"port 8080",
"aitm",
"mitm",
"xfinity",
"lumen backbone",
"xfinity cf",
"et info",
"useragent",
"webserver",
"android",
"linux",
"statistically stripped",
"local",
"Jefferson County",
"Colorado",
"State",
"is__elf",
"is__war",
"cyber warfare",
"marking",
"targeting",
"stalking",
"impersonating",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"defense evasion",
"mitre att",
"ck matrix",
"february",
"hybrid",
"general",
"path",
"encrypt",
"click",
"strings",
"attack",
"ssl certificate",
"ascii text",
"dynamicloader",
"yara rule",
"ff d5",
"medium",
"high",
"eb d8",
"f0 ff",
"ff bb",
"host",
"unknown",
"explorer",
"virtool",
"write",
"next",
"Douglas County",
"Michael Roberts",
"Brian Sabey",
"Chris\u2019Buzz\u2019 Ahmann",
"Mirai BotMaster",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"date march",
"am size",
"imphash",
"otx logo",
"all filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"moved",
"urls",
"expiration date",
"all hostname",
"files",
"media",
"present feb",
"present jan",
"present dec",
"present nov",
"ip address",
"present",
"codex",
"sf.net",
"next associated",
"ipv4 add",
"location united",
"america flag",
"spawns",
"found",
"t1480 execution",
"pattern match",
"present aug",
"search",
"name servers",
"showing",
"record value",
"meta",
"accept",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"denver",
"yandex",
"post",
"entries",
"post http",
"show",
"post liquor",
"execution",
"port",
"destination",
"icmp traffic",
"dns query",
"include",
"top source"
],
"references": [
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"genealogytrails.com",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Has been present throughout a specific campaign",
"Mirai",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"TCP SYN packets were observed",
"ET WORM TheMoon.linksys.router",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7646352-0",
"display_name": "Unix.Trojan.Mirai-7646352-0",
"target": null
},
{
"id": "SpyFu",
"display_name": "SpyFu",
"target": null
},
{
"id": "Win.Trojan.VB-83922",
"display_name": "Win.Trojan.VB-83922",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen!JB",
"display_name": "virtool:Win32/VBInject.gen!JB",
"target": "/malware/virtool:Win32/VBInject.gen!JB"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "698966742c9fd9691396bb3a",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5836,
"domain": 857,
"FileHash-MD5": 185,
"FileHash-SHA1": 147,
"hostname": 1842,
"email": 7,
"FileHash-SHA256": 947,
"CVE": 43,
"SSLCertFingerprint": 8
},
"indicator_count": 9872,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "698966742c9fd9691396bb3a",
"name": "CoinHive In-Browser Miner | ET EXPLOIT Linksys E-Series Device RCE Attempt via \u2018AI chat\u2019 Xfinity Commercial Fleet vehicle parked /AITM",
"description": "Merits further research. Work no is consistent with a man advocate named Michael\nRoberts of Rexxfield and Miles2/ Mile2 / seen frequently in attacks against females | targeted individual apparently was using an AI browser search when a keyword triggered glitches.\nSearch of a URL\ntarget has never heard of or seen found in device search results. Targets device injected, Mirai botnet found, Other suspicious findings. TBConrinued..:.\n[OTX. Auto populated Significantly more details have been revealed about the GoDaddy.com domain, which has been listed as an unregistered domain by the Internet Service Authority (icann). and its users are not allowed to use it.] #man_jn_tve_midxle #drive_ by_compromise #injection.",
"modified": "2026-03-11T04:02:50.189000",
"created": "2026-02-09T04:45:40.250000",
"tags": [
"united",
"td tr",
"a domains",
"history group",
"state",
"b td",
"present sep",
"find",
"alabama",
"iowa",
"apache",
"content type",
"passive dns",
"meta http",
"content",
"gmt server",
"pragma",
"title",
"linksys eseries",
"device rce",
"inbound",
"et exploit",
"attempt",
"et webserver",
"suspicious user",
"user agent",
"et worm",
"policy python",
"python",
"agent",
"generic",
"malware",
"nids",
"dst_ip",
"\"sid\": 2017515,",
"2020/08/23",
"dst_port\": 8080",
"suricata",
"network_icmp",
"tcp_syn_scan",
"unix",
"mirai",
"infection",
"port 8080",
"aitm",
"mitm",
"xfinity",
"lumen backbone",
"xfinity cf",
"et info",
"useragent",
"webserver",
"android",
"linux",
"statistically stripped",
"local",
"Jefferson County",
"Colorado",
"State",
"is__elf",
"is__war",
"cyber warfare",
"marking",
"targeting",
"stalking",
"impersonating",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"initial access",
"defense evasion",
"mitre att",
"ck matrix",
"february",
"hybrid",
"general",
"path",
"encrypt",
"click",
"strings",
"attack",
"ssl certificate",
"ascii text",
"dynamicloader",
"yara rule",
"ff d5",
"medium",
"high",
"eb d8",
"f0 ff",
"ff bb",
"host",
"unknown",
"explorer",
"virtool",
"write",
"next",
"Douglas County",
"Michael Roberts",
"Brian Sabey",
"Chris\u2019Buzz\u2019 Ahmann",
"Mirai BotMaster",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"date march",
"am size",
"imphash",
"otx logo",
"all filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"moved",
"urls",
"expiration date",
"all hostname",
"files",
"media",
"present feb",
"present jan",
"present dec",
"present nov",
"ip address",
"present",
"codex",
"sf.net",
"next associated",
"ipv4 add",
"location united",
"america flag",
"spawns",
"found",
"t1480 execution",
"pattern match",
"present aug",
"search",
"name servers",
"showing",
"record value",
"meta",
"accept",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"denver",
"yandex",
"post",
"entries",
"post http",
"show",
"post liquor",
"execution",
"port",
"destination",
"icmp traffic",
"dns query",
"include",
"top source"
],
"references": [
"https://genealogytrails.com/njer/morris/mortality_records.html#:~:text=From%20a%20summary%20statement%2C%20in",
"genealogytrails.com",
"It appears to be consistent with AI / SpyFu Michael Roberts | Rexxfield| Mikes IT",
"Has been present throughout a specific campaign",
"Mirai",
"IDS Detections TheMoon.linksys.router 2 Linksys E-Series Device RCE Attempt",
"IDS: Linksys E-Series Device RCE Attempt Outbound Possible HTTP 403 XSS",
"IDS: Attempt (Local Source) 401TRG Generic Webshell Request - POST with wget in body Python Requests",
"IDS: Suspicious User Agent WebShell Generic - wget http - POST User-Agent (python-requests)",
"IDS: Inbound to Webserver CoinHive In-Browser Miner Detected 403 Forbidden",
"ET INFO User-Agent (python-requests) Inbound to Webserver",
"Suspicious User Agent | ETPRO POLICY Python Requests",
"src_ip\": 192.168.122.51 | dst_ip\": 219.91.207.105",
"\u201cNIDS_exploit_alert\" network_icmp\tGenerates some ICMP traffic\t High { \"families\": [], \"description\": \"Generates some ICMP traffic\", \"severity\": 4,",
"TCP SYN packets were observed",
"ET WORM TheMoon.linksys.router",
"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound",
"\"ET WEB_SERVER WebShell Generic - wget http - POST",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , UPXProtectorv10x2 , UPX",
"Alerts: dead_host nids_exploit_alert network_icmp tcp_syn_scan nolookup_communication",
"Alerts: network_cnc_http network_http network_http_post nids_alert p2p_cnc",
"Alerts: writes_to_stdout android , win32 exe , key identifier , win32 dll , x509v3 subject",
"File Type: ELF - ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked stripped:",
"upx.sf.net Malformed domain IPv4 172.67.240.47 In CDN range: provider=cloudflare\t IPv4",
"192.168.122.51 Private IP Address\t MD5 d41d8cd98f00b204e9800998ecf8427e Empty hash of type MD5\t SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Empty hash of type SHA1\t URL http://upx.sf.net",
"Win.Trojan.VB-83922 , VirTool:Win32/VBInject.gen!JB",
"IDS Detections: Win32/Esfury.T Connectivity Check (sstatic1.histats.com) Win32.VBKrypt.xiz",
"IDS: Checkin Win32.VBKrypt.xiz Checkin 2 Win32/Esfury.T Checkin",
"Yara Detections: UPX , LZMA , UPX_OEP_place , UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"Alerts: infostealer_cookies injection_network_traffic injection_write_exe_process",
"Alerts: multiple_useragents persistence_autorun procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys physical_drive_access bypass_firewall disables_folder_options",
"Alerts: disables_run_command disables_uac injection_runpe modify_hostfile modify_uac_prompt persistence_ifeo stealth_hidden_extension stealth_hiddenreg anomalous_deletefile ..",
"IP\u2019s Contacted: 142.251.9.94 104.21.69.250 104.21.61.138 172.237.146.8 34.41.139.193",
"IPs Contacted: 149.56.240.31 172.66.136.209",
"Domains Contacted: c.statcounter.com sstatic1.histats.com",
"Domains Contacted: 54b73b3059myg2kta72weplb2a2uvd.ipcheker.com",
"Domains Contacted: rk1pjif98b4r7zed28hle47wdlw9rm.ipgreat.com",
"Domains Contacted: a2ex04689txl10z.directorio-w.com www.directorio-w.com",
"Domains Contacted. xz4i2o3m7456n7nwd4757wgfta3it7.ipcheker.com",
"Domains Contacted: b0h4f160dzkk7hgn65038eb73erxd8.ipgreat.com",
"Domains Contacted: l545ds1s2d6v8wxts6pz75835j5hj4.ipcheker.com",
"Domains Contacted: wv001gdb6n084bc533j7pf6043xg2v.ipgreat.com",
"Hostname ios.chimney-se.cloud.farmerswife.com \u2022 ios.vsila.cloud.farmerswife.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7646352-0",
"display_name": "Unix.Trojan.Mirai-7646352-0",
"target": null
},
{
"id": "SpyFu",
"display_name": "SpyFu",
"target": null
},
{
"id": "Win.Trojan.VB-83922",
"display_name": "Win.Trojan.VB-83922",
"target": null
},
{
"id": "virtool:Win32/VBInject.gen!JB",
"display_name": "virtool:Win32/VBInject.gen!JB",
"target": "/malware/virtool:Win32/VBInject.gen!JB"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5779,
"domain": 730,
"FileHash-MD5": 185,
"FileHash-SHA1": 147,
"hostname": 1790,
"email": 5,
"FileHash-SHA256": 947,
"CVE": 3,
"SSLCertFingerprint": 8
},
"indicator_count": 9594,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "39 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6967bc8b26b69d4dc2604a13",
"name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT",
"description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.",
"modified": "2026-02-13T15:04:30.631000",
"created": "2026-01-14T15:55:55.693000",
"tags": [
"v2rayalpha",
"united",
"unknown ns",
"unknown aaaa",
"domain add",
"urls",
"files",
"domain",
"github",
"file format",
"jkvpn",
"jointelegram",
"farahvpn vless",
"post",
"universal",
"scribd",
"typews",
"telegram",
"rdap",
"handle",
"iana registrar",
"roles",
"dnssec",
"aaaa",
"ttl value",
"rdap database",
"links",
"backdoor",
"antigua",
"virgin islands",
"status",
"org domains",
"proxy",
"ip address",
"barbuda unknown",
"passive dns",
"ipv4 add",
"twitter",
"dynamicloader",
"port",
"delete c",
"destination",
"high",
"windows",
"medium",
"displayname",
"write",
"tofsee",
"stream",
"malware",
"push",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"evasion att",
"sha256",
"sha1",
"pattern match",
"ascii text",
"href",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"search",
"moved",
"record value",
"servers",
"title",
"encrypt",
"canada unknown",
"gmt content",
"reverse dns",
"location canada",
"canada asn",
"accept",
"cookie",
"dll read",
"function read",
"wscriptshell",
"shortcut",
"guard",
"error",
"present jan",
"name servers",
"registrar url",
"hong kong",
"invalid url",
"url analysis",
"location hong",
"kong flag",
"msie",
"chrome",
"type",
"media type",
"certificate",
"hostname add",
"present nov",
"present sep",
"present oct",
"expiration date",
"present dec",
"script urls",
"a domains",
"present mar",
"present feb",
"meta",
"show",
"read c",
"entries",
"read",
"intel",
"ms windows",
"delete",
"please",
"artemis",
"virustotal",
"trojan",
"mcafee",
"drweb",
"vipre",
"panda",
"write c",
"total",
"next associated",
"thursday",
"gmt cache",
"ipv4",
"form",
"date",
"mirai",
"telnet login",
"south korea",
"bad login",
"as4766 korea",
"taiwan as3462",
"china as45090",
"telnet root",
"cve201717215",
"execution",
"copy",
"contacted",
"mtb ids",
"dns query",
"variant cnc",
"domain huawei",
"remote command",
"huawei remote",
"echobot",
"linux mirai",
"monitoring",
"cnc"
],
"references": [
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"https://t.me/",
"Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Contacted: newmethcnc.duckdns.org",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"https://eurotarget.com/it/auto/toyota/c-hr/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Malware.Reline-9887776-0",
"display_name": "Win.Malware.Reline-9887776-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.N!MTB",
"display_name": "Backdoor:Linux/Mirai.N!MTB",
"target": "/malware/Backdoor:Linux/Mirai.N!MTB"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1399",
"name": "Modify Trusted Execution Environment",
"display_name": "T1399 - Modify Trusted Execution Environment"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1011.001",
"name": "Exfiltration Over Bluetooth",
"display_name": "T1011.001 - Exfiltration Over Bluetooth"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6227,
"domain": 1437,
"hostname": 2331,
"email": 8,
"FileHash-SHA256": 3252,
"FileHash-MD5": 465,
"FileHash-SHA1": 457,
"CIDR": 1,
"CVE": 3
},
"indicator_count": 14181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6958780c8479a9d69920c3d8",
"name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack",
"description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.",
"modified": "2026-02-02T01:02:46.327000",
"created": "2026-01-03T01:59:40.530000",
"tags": [
"united",
"moved",
"title",
"passive dns",
"ipv4 add",
"urls",
"files",
"hosting",
"reverse dns",
"location united",
"hash avast",
"avg clamav",
"msdefender mar",
"read c",
"create c",
"medium",
"search",
"memcommit",
"high",
"checks",
"windows",
"execution",
"dock",
"write",
"persistence",
"capture",
"local",
"ref b",
"wed may",
"backdoor",
"mtb aug",
"next associated",
"mtb dec",
"twitter",
"smoke loader",
"malware",
"virtool",
"hacktool",
"data upload",
"present dec",
"mtb apr",
"win32",
"trojan",
"worm",
"lowfi",
"cybota",
"expiration date",
"name servers",
"ipv4",
"url analysis",
"port",
"destination",
"telnet login",
"bad login",
"gpl telnet",
"suspicious path",
"busybox",
"tcp syn",
"et telnet",
"path",
"mirai",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"america",
"ck id",
"name tactics",
"suspicious",
"informative",
"learn",
"t1179 hooking",
"installs",
"t1035 service",
"adversaries",
"msie",
"windows nt",
"slcc2",
"media center",
"y013",
"flag",
"span",
"accept",
"core",
"february",
"hybrid",
"malicious",
"general",
"click",
"strings",
"roboto",
"next",
"usa windows",
"finished",
"queueprogress",
"timestamp input",
"threat level",
"october",
"september",
"hwp support",
"fresh",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"programfiles",
"comspec",
"model",
"iframe",
"form",
"listeners",
"initial access",
"t1590 gather",
"victim network",
"ssl certificate",
"quasi government",
"jeffrey reimer",
"palantir",
"Regis university",
"otx hp",
"apple",
"pegasus",
"h5 data center",
"florence colorado",
"brian sabey",
"target : Tsara Brasheaers",
"aig",
"industry and commerce",
"united states",
"State of Colorado.",
"date",
"status",
"domain",
"hostname add",
"pulse pulses",
"files ip",
"address",
"url https",
"url http",
"hostname",
"show",
"type indicator",
"source hostname",
"entries",
"Prometheus Intelligence Technology",
"pulse submit",
"america flag",
"body",
"dynamicloader",
"microsoft azure",
"tls issuing",
"named pipe",
"json",
"ascii text",
"lredmond",
"Apple",
"Telnet",
"BusyBox",
"Pegasus",
"Colorado State Fixer: Christopher P. Ahmann",
"Hijacker: Brian Sabey",
"For: Concentra",
"Protecting Assaulter: Jeffrey Reimer",
"For: AIG",
"For Industry and Commerce",
"For: Quasi Government",
"For: Workers Compensation",
"Authorities",
"Law Enforcement Dark",
"Silencing",
"Tampering with a Victim",
"Meta",
"Palantir",
"Google",
"Bing",
"Microsoft",
"ColoCrossing",
"Associates",
"hit men"
],
"references": [
"ET Telnet | https://www.colocrossing.com | velocity servers",
"https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives",
"TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host",
"Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)",
"(legitimate services will remain up-and-running usually) High | ID dead_host",
"ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0",
"IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login",
"Yara Detections is__elf",
"Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout",
"Yara Detections is__elf , ELFHighEntropy , elf_empty_sections",
"http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/",
"https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l",
"https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!",
"https://www.colocrossing.com/",
"(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.",
"In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov",
"104.21.51.140, 172.67.181.41",
"Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot",
"stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe",
"Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download",
"Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration",
"IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192",
"IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82",
"Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com",
"This is hard to comprehend or put into indelible words."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.DarkNexus-7679166-0",
"display_name": "Unix.Trojan.DarkNexus-7679166-0",
"target": null
},
{
"id": "HackTool:MSIL/Boilod.C!bit",
"display_name": "HackTool:MSIL/Boilod.C!bit",
"target": "/malware/HackTool:MSIL/Boilod.C!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1204.002",
"name": "Malicious File",
"display_name": "T1204.002 - Malicious File"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Technology",
"Healthcare",
"Insurance",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6390,
"domain": 723,
"hostname": 1978,
"FileHash-SHA256": 1912,
"FileHash-MD5": 410,
"FileHash-SHA1": 306,
"email": 3,
"SSLCertFingerprint": 28,
"CVE": 3
},
"indicator_count": 11753,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "76 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://webadmin.freeje.org",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://webadmin.freeje.org",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776616632.1093202
}