{ "type": "URL", "indicator": "https://www.albertahealthservices.ca/cis/cis.aspx", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.albertahealthservices.ca/cis/cis.aspx", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain albertahealthservices.ca", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3932826479, "indicator": "https://www.albertahealthservices.ca/cis/cis.aspx", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6831a459b02fed33a40bc6d1", "name": "Page Not Found | Alberta Health Services", "description": "", "modified": "2025-06-23T04:00:39.930000", "created": "2025-05-24T10:50:01.662000", "tags": [ "div div", "alberta health", "home alberta", "health services", "meta", "services", "services ahs", "xl div", "text message", "scam alert", "date", "cookie", "present apr", "present nov", "present sep", "present oct", "present feb", "present dec", "present aug", "present jan", "present may", "present mar", "id1060552", "id1001957", "id1001471", "id1602", "search", "found", "alberta", "strong", "treaty", "english iska", "iabi", "niitsipowahssin", "nhiyawwin", "mission", "contact", "certificate", "http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-", "webdomain@albertahealthservices.ca", "rsa securid", "javascript", "rsa hardware", "netcare access", "please", "citrix receiver", "access", "alert", "users", "form", "vhash", "ssdeep", "user account", "password keep", "sign", "microsoft", "connect care", "dragon medical", "eupa", "record", "hyperspace", "mylearninglink", "zoom", "medical one", "powermic mobile", "usb microphone", "critical", "sha256", "imphash", "rich pe", "seupa", "end user", "library", "north campus", "test day", "submission tip", "sheet", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%", "click", "epic login", "bow valley", "college student", "folder click", "folder double", "double click", "citrix", "detect citrix" ], "references": [ "https://ahs.queue-it.net/?c=ahs&e=accr&ver=v3-aspnet-3.6.2&cver=43&man=ACCR%20-%20Send%20To%20Queue&t=https://www.albertahealthservices.ca/covidbooking/Welcome.aspx", "https://webdomain@albertahealthservices.ca", "http://webdomain@albertahealthservices.ca", "https://xero.albertahealthservices.ca/", "https://aaa.albertahealthservices.ca/cgi/tm?code=0b409f3c5177212e", "https://aaa.albertahealthservices.ca/logon/LogonPoint/tmindex.html", "https://mylearninglink.albertahealthservices.ca/elearning/bins/index.asp", "https://manual.connect-care.ca/Training/Online-Learning/post-basic-training#h.kykghqohiwo6", "http://albertahealthservices.ca/hot-topics/covid-19-workflows/covid-19-critical-care-workflows", "https://bowvalleycollege.libanswers.com/faq/213446", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finsite.albertahealthservices.ca%2Fmain%2Fassets%2Fcis%2Ftms-cis-cc-seupa-regsub-tip-sheet.pdf&data=05%7C02%7Cfdyer%40bowvalleycollege.ca%7C80c9cbaf97d24c1c153008dcdd97ae07%7C8f11c6f4648e4c0cbb9996e8408a8e2a%7C0%7C0%7C638628890765909926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=c9nalvONZgUg1%2BaiPNOMWMieVvWDzvv7UZIu1w8cChU%3D&reserved=0", "https://bowvalleycollege.libanswers.com/faq/213269" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 845, "FileHash-MD5": 17, "URL": 405, "domain": 8, "FileHash-SHA256": 18, "FileHash-SHA1": 55, "email": 2 }, "indicator_count": 1350, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "343 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67b459c6d9f3a4d98e4221f6", "name": "AHS Thor Lite Windows 11 Enterprise - 02.18.25 - not enriched", "description": "AHS Endpoint\nSCANID: S-Phu25Pdtc6Q\nThor Lite Scan (Custom Rules)\nUpdated: 05.12.25", "modified": "2025-06-11T18:01:20.529000", "created": "2025-02-18T09:58:30.041000", "tags": [ "custom", "yara rule", "capa", "function", "hostinteraction", "scanid", "filesystem", "basicblock", "create", "process", "write", "meta", "persistence", "service", "antivm", "info", "encrypt", "june", "timestomp", "mine", "impact", "shell", "copy", "window", "find", "inject", "keylog", "bypass", "thor", "yayih", "download", "chacha", "antiav", "pipes", "rootkit", "doublepulsar", "logger", "teamviewer", "virustotal", "cookie", "notify", "bitcoin", "openssl", "model", "arch", "hosts", "avemaria", "maze", "wabot", "bangat", "enfal", "risepro", "mirage", "naikon", "netwalker", "olyx", "plugx", "rooter", "safenet", "t5000", "warp", "xtremerat", "comspec", "error", "macho", "fusion", "sandbox", "mark", "malware", "dotnet", "njrat", "install", "compiler" ], "references": [ "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/summary", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/graph/embed/g44bd45d852dc47059636e6dd4313a995ae2d247fe58745a6b270b46d0b330b39?theme=dark", "https://viz.greynoise.io/analysis/5ba1fbf1-b14f-4ccb-b055-ed78f6154e51", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 75, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 143, "CVE": 7, "FileHash-MD5": 667, "FileHash-SHA1": 307, "FileHash-SHA256": 1417, "domain": 78, "email": 6, "hostname": 793, "CIDR": 2, "SSLCertFingerprint": 5 }, "indicator_count": 3425, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "355 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ac05add039aad334f4ee36", "name": "Alberta Health Services (AHS)", "description": "One Branch of the Province of Alberta Healthcare System\n\nUpdate 02.11.25 - need to add Malcore IOCs: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "modified": "2025-03-30T02:04:31.271000", "created": "2024-08-01T22:01:17.145000", "tags": [ "UAlberta", "Alberta Health Services", "AHS" ], "references": [ "https://www.virustotal.com/graph/embed/g6ec84c0946bf424a9d95f11fc77dcaff262f4a13daa6464386b17bb2a0ed4bbf?theme=dark", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d/graph", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d/iocs", "10.18.24: https://www.virustotal.com/graph/embed/g6ec84c0946bf424a9d95f11fc77dcaff262f4a13daa6464386b17bb2a0ed4bbf?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 358, "hostname": 850, "CIDR": 1, "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 434, "domain": 139, "email": 2, "SSLCertFingerprint": 412 }, "indicator_count": 2230, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://bowvalleycollege.libanswers.com/faq/213446", "https://manual.connect-care.ca/Training/Online-Learning/post-basic-training#h.kykghqohiwo6", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d/iocs", "https://aaa.albertahealthservices.ca/cgi/tm?code=0b409f3c5177212e", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/summary", "https://aaa.albertahealthservices.ca/logon/LogonPoint/tmindex.html", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules", "10.18.24: https://www.virustotal.com/graph/embed/g6ec84c0946bf424a9d95f11fc77dcaff262f4a13daa6464386b17bb2a0ed4bbf?theme=dark", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "https://bowvalleycollege.libanswers.com/faq/213269", "http://albertahealthservices.ca/hot-topics/covid-19-workflows/covid-19-critical-care-workflows", "https://xero.albertahealthservices.ca/", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79", "https://www.virustotal.com/graph/embed/g44bd45d852dc47059636e6dd4313a995ae2d247fe58745a6b270b46d0b330b39?theme=dark", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d/graph", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finsite.albertahealthservices.ca%2Fmain%2Fassets%2Fcis%2Ftms-cis-cc-seupa-regsub-tip-sheet.pdf&data=05%7C02%7Cfdyer%40bowvalleycollege.ca%7C80c9cbaf97d24c1c153008dcdd97ae07%7C8f11c6f4648e4c0cbb9996e8408a8e2a%7C0%7C0%7C638628890765909926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=c9nalvONZgUg1%2BaiPNOMWMieVvWDzvv7UZIu1w8cChU%3D&reserved=0", "https://www.virustotal.com/graph/embed/g6ec84c0946bf424a9d95f11fc77dcaff262f4a13daa6464386b17bb2a0ed4bbf?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings", "https://webdomain@albertahealthservices.ca", "https://mylearninglink.albertahealthservices.ca/elearning/bins/index.asp", "https://viz.greynoise.io/analysis/5ba1fbf1-b14f-4ccb-b055-ed78f6154e51", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264", "https://ahs.queue-it.net/?c=ahs&e=accr&ver=v3-aspnet-3.6.2&cver=43&man=ACCR%20-%20Send%20To%20Queue&t=https://www.albertahealthservices.ca/covidbooking/Welcome.aspx", "http://webdomain@albertahealthservices.ca" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Telecommunications", "Government", "Healthcare", "Technology" ], "unique_indicators": 3730 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/albertahealthservices.ca", "whois": "http://whois.domaintools.com/albertahealthservices.ca", "domain": "albertahealthservices.ca", "hostname": "www.albertahealthservices.ca" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6831a459b02fed33a40bc6d1", "name": "Page Not Found | Alberta Health Services", "description": "", "modified": "2025-06-23T04:00:39.930000", "created": "2025-05-24T10:50:01.662000", "tags": [ "div div", "alberta health", "home alberta", "health services", "meta", "services", "services ahs", "xl div", "text message", "scam alert", "date", "cookie", "present apr", "present nov", "present sep", "present oct", "present feb", "present dec", "present aug", "present jan", "present may", "present mar", "id1060552", "id1001957", "id1001471", "id1602", "search", "found", "alberta", "strong", "treaty", "english iska", "iabi", "niitsipowahssin", "nhiyawwin", "mission", "contact", "certificate", "http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-", "webdomain@albertahealthservices.ca", "rsa securid", "javascript", "rsa hardware", "netcare access", "please", "citrix receiver", "access", "alert", "users", "form", "vhash", "ssdeep", "user account", "password keep", "sign", "microsoft", "connect care", "dragon medical", "eupa", "record", "hyperspace", "mylearninglink", "zoom", "medical one", "powermic mobile", "usb microphone", "critical", "sha256", "imphash", "rich pe", "seupa", "end user", "library", "north campus", "test day", "submission tip", "sheet", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%", "click", "epic login", "bow valley", "college student", "folder click", "folder double", "double click", "citrix", "detect citrix" ], "references": [ "https://ahs.queue-it.net/?c=ahs&e=accr&ver=v3-aspnet-3.6.2&cver=43&man=ACCR%20-%20Send%20To%20Queue&t=https://www.albertahealthservices.ca/covidbooking/Welcome.aspx", "https://webdomain@albertahealthservices.ca", "http://webdomain@albertahealthservices.ca", "https://xero.albertahealthservices.ca/", "https://aaa.albertahealthservices.ca/cgi/tm?code=0b409f3c5177212e", "https://aaa.albertahealthservices.ca/logon/LogonPoint/tmindex.html", "https://mylearninglink.albertahealthservices.ca/elearning/bins/index.asp", "https://manual.connect-care.ca/Training/Online-Learning/post-basic-training#h.kykghqohiwo6", "http://albertahealthservices.ca/hot-topics/covid-19-workflows/covid-19-critical-care-workflows", "https://bowvalleycollege.libanswers.com/faq/213446", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finsite.albertahealthservices.ca%2Fmain%2Fassets%2Fcis%2Ftms-cis-cc-seupa-regsub-tip-sheet.pdf&data=05%7C02%7Cfdyer%40bowvalleycollege.ca%7C80c9cbaf97d24c1c153008dcdd97ae07%7C8f11c6f4648e4c0cbb9996e8408a8e2a%7C0%7C0%7C638628890765909926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=c9nalvONZgUg1%2BaiPNOMWMieVvWDzvv7UZIu1w8cChU%3D&reserved=0", "https://bowvalleycollege.libanswers.com/faq/213269" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 845, "FileHash-MD5": 17, "URL": 405, "domain": 8, "FileHash-SHA256": 18, "FileHash-SHA1": 55, "email": 2 }, "indicator_count": 1350, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "343 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67b459c6d9f3a4d98e4221f6", "name": "AHS Thor Lite Windows 11 Enterprise - 02.18.25 - not enriched", "description": "AHS Endpoint\nSCANID: S-Phu25Pdtc6Q\nThor Lite Scan (Custom Rules)\nUpdated: 05.12.25", "modified": "2025-06-11T18:01:20.529000", "created": "2025-02-18T09:58:30.041000", "tags": [ "custom", "yara rule", "capa", "function", "hostinteraction", "scanid", "filesystem", "basicblock", "create", "process", "write", "meta", "persistence", "service", "antivm", "info", "encrypt", "june", "timestomp", "mine", "impact", "shell", "copy", "window", "find", "inject", "keylog", "bypass", "thor", "yayih", "download", "chacha", "antiav", "pipes", "rootkit", "doublepulsar", "logger", "teamviewer", "virustotal", "cookie", "notify", "bitcoin", "openssl", "model", "arch", "hosts", "avemaria", "maze", "wabot", "bangat", "enfal", "risepro", "mirage", "naikon", "netwalker", "olyx", "plugx", "rooter", "safenet", "t5000", "warp", "xtremerat", "comspec", "error", "macho", "fusion", "sandbox", "mark", "malware", "dotnet", "njrat", "install", "compiler" ], "references": [ "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/summary", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/graph/embed/g44bd45d852dc47059636e6dd4313a995ae2d247fe58745a6b270b46d0b330b39?theme=dark", "https://viz.greynoise.io/analysis/5ba1fbf1-b14f-4ccb-b055-ed78f6154e51", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 75, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 143, "CVE": 7, "FileHash-MD5": 667, "FileHash-SHA1": 307, "FileHash-SHA256": 1417, "domain": 78, "email": 6, "hostname": 793, "CIDR": 2, "SSLCertFingerprint": 5 }, "indicator_count": 3425, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "355 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ac05add039aad334f4ee36", "name": "Alberta Health Services (AHS)", "description": "One Branch of the Province of Alberta Healthcare System\n\nUpdate 02.11.25 - need to add Malcore IOCs: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "modified": "2025-03-30T02:04:31.271000", "created": "2024-08-01T22:01:17.145000", "tags": [ "UAlberta", "Alberta Health Services", "AHS" ], "references": [ "https://www.virustotal.com/graph/embed/g6ec84c0946bf424a9d95f11fc77dcaff262f4a13daa6464386b17bb2a0ed4bbf?theme=dark", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d/graph", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d/iocs", "10.18.24: https://www.virustotal.com/graph/embed/g6ec84c0946bf424a9d95f11fc77dcaff262f4a13daa6464386b17bb2a0ed4bbf?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 358, "hostname": 850, "CIDR": 1, "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 434, "domain": 139, "email": 2, "SSLCertFingerprint": 412 }, "indicator_count": 2230, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.albertahealthservices.ca/cis/cis.aspx", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.albertahealthservices.ca/cis/cis.aspx", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780355936.7740195 }