{ "type": "URL", "indicator": "https://www.fbsbx.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.fbsbx.com", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #247", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain fbsbx.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain fbsbx.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4214664517, "indicator": "https://www.fbsbx.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69d0dec10ab26722b8dbd382", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:52.991000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0dec2efedd87c3a05cc10", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:54.810000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0dec535ae0f94d37ccefb", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:57.171000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0dec7d1e663f23697fcd5", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:59.346000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0dec9f83643549f2d60c3", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:50:01.067000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1, "YARA": 1, "CVE": 1 }, "indicator_count": 1858, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-04-20T21:01:07.869000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9 }, "indicator_count": 14134, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "http://watchhers.net/index.php", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "Unknown Persons impersonating Private Investigators (plural)", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "Updated | What\u2019s left after theft", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "Melvin Sabey", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "https://rdweb.datafoundry.com/", "https://webmail.police.govmm.org/owa/", "Ronda Cordova", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "T1110.001 (Brute Force: Password Guessing)", "I bring up the personal nature of the crime because a delete service has been used", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "Quasi Government Case", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Victim silenced. Struck by Car Driven by male police let walk", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "http://212.33.237.86/images/1/report.php", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "Denver Police Department Major Crimes closed investigation", "Obfuscation: XOR-based String Encryption (0x20)", "All IoC\u2019s originate from sources named. There are some unknown attackers", "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "https://www.datafoundry.com/category/news/press-releases/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "Reimer was a PT. Unknown whereabouts , name or job description", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive", "Mark Brian Sabey", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://www.datafoundry.com/data-center-contamination-control/", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Christopher P \u2018Buzz\u2019 Ahmann", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s" ], "malware_families": [ "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Malware family: stealthworker / gobrut", "Tons of malware", "Porn revenge" ], "industries": [], "unique_indicators": 39514 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/fbsbx.com", "whois": "http://whois.domaintools.com/fbsbx.com", "domain": "fbsbx.com", "hostname": "www.fbsbx.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69d0dec10ab26722b8dbd382", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:52.991000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0dec2efedd87c3a05cc10", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:54.810000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0dec535ae0f94d37ccefb", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:57.171000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0dec7d1e663f23697fcd5", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:59.346000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0dec9f83643549f2d60c3", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:50:01.067000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1, "YARA": 1, "CVE": 1 }, "indicator_count": 1858, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-04-20T21:01:07.869000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9 }, "indicator_count": 14134, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.fbsbx.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.fbsbx.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780370864.0209675 }