{ "type": "URL", "indicator": "https://www.ginko.garden", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.ginko.garden", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3927343872, "indicator": "https://www.ginko.garden", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "676493c5607a603f1785a935", "name": "https://ginko.garden/pl/contact tel:+48 797 920 339 ip4 77.79.221.180 77.79.221.148", "description": "Pasywna replikacja DNS: \n77.79.221.180 \nSugerowany opis:\nPe\u0142ny tekst Ginko.Garden - Nowoczesne dekoracje i pergole metalowe - wedi dweud eu glass - metaloplastyka.\nSugerowane identyfikatory ATT&CK:\nOgr\u00f3d - Nowoczesne dekoracje z metalu do ogrodu - bi\u017cuteria ogrodowa i dekoracje szklane - pergole metalowe - metaloplastyka Meta Tagi s\u0142owa kluczowe Nowoczesne dekoracje z metalu do ogrodu - pergole metalowe - Ginko.\n77.79.221.148 \n46.41.159.227 \n46.41.159.177", "modified": "2025-07-28T11:51:42.400000", "created": "2024-12-19T21:44:37.537000", "tags": [ "copyright", "customevent", "typeof e", "boomerang", "typeof t", "macintosh", "os x", "post", "typeof", "iframe", "date", "nazwa rekordu", "aaaaa", "na wniosek", "bezpieczestwo", "serwer", "przerwa", "informacja o", "prace", "nazwa", "hasze", "adresy url", "nazwa http", "configoverride", "continuity", "pageparam s", "iframedelay", "autoxhr", "historia", "nazwa https", "uytkownik", "zenbox", "komunikacja", "pliki", "rozmiar", "kb data", "wykrycia nie", "mitre", "ids nie", "sigmy nie", "submission", "sha256", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "trid hypertext", "markup language" ], "references": [ "https://s.go-mpulse.net/boomerang/XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1334, "hostname": 454, "domain": 346, "IPv6": 2, "IPv4": 36, "FileHash-SHA256": 1499, "FileHash-MD5": 92, "FileHash-SHA1": 74, "CVE": 1, "email": 1 }, "indicator_count": 3839, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "306 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6764c20a49646c5fc3c5a153", "name": "https://psz.zus.pl", "description": "Sugerowany opis:\nPe\u0142ny raport na temat plan\u00f3w polskiego rz\u0105du dotycz\u0105cych referendum unijnego zosta\u0142 opublikowany w serwisie Zus.pl oraz na stronie g\u0142\u00f3wnej tego portalu, kt\u00f3ra dzia\u0142a obecnie w tym samym czasie.", "modified": "2025-05-14T21:16:39.393000", "created": "2024-12-20T01:02:02.761000", "tags": [ "sha256", "vhash", "ssdeep", "zrzuty ekranu", "wykrycia", "pliki", "liczba prbek", "skopiuj", "ukryj prbki", "pokazywa", "skrt", "hash", "kthreaddi", "c start", "plik", "dgc4ph baza", "wiadomoci", "kompresor", "ip k40g", "layton m0355", "n o365", "ilo o2o", "skanowanie", "udostpnij", "plik sha256", "data", "zwizane z", "zoliwym", "awasta elf", "zakaenie", "pani obroczyni", "trojan", "mtb zakaenie", "ostatnia", "2063947519", "nazwa", "adresy url", "nazwa https", "adowania", "jeli plik", "clay", "ojsreso", "o poniej", "url https", "http request", "method get", "country a", "polandpoland as", "name zaklad", "as number", "mime type", "data size", "size", "critical", "frame id", "b time" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 259, "FileHash-SHA256": 282, "domain": 161, "hostname": 235, "FileHash-MD5": 192, "FileHash-SHA1": 190 }, "indicator_count": 1319, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665c84b687c5e16b95e8f8e", "name": "94.152.152.223 v65023.niebieski.net Cyber_Folks S.A. (vgt.pl)", "description": "SHA1 32223ade25c4a1d39cb8ac13042e8e6dfe3ca78f , SHA1 \n 99987c1ee1ddb7fd113abd65c836fbb71c3da4da\n Role: UPX , Ransomware , Trojan , Mirai , Buschido Mirai antywirusowe\nWin.Trojan.VBGeneric-6735875-0 , Robak:Win32/Mofksys.RND!MTB", "modified": "2024-12-31T01:53:43.222000", "created": "2024-06-09T15:20:43.178000", "tags": [ "expiration", "no expiration", "url http", "url https", "hostname", "domain", "ipv4", "filehashsha256", "fh no", "filehashmd5", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "pl o", "unizeto", "sa ou", "urzd", "certum cn" ], "references": [ "https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591", "https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71", "https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [ "Poland", "United States of America", "Germany", "Netherlands" ], "malware_families": [ { "id": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "display_name": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3205, "FileHash-SHA1": 2671, "FileHash-SHA256": 11469, "SSLCertFingerprint": 6, "URL": 5435, "domain": 1356, "email": 55, "hostname": 2205, "CVE": 13, "YARA": 4, "CIDR": 1, "IPv4": 25, "FileHash-IMPHASH": 1, "BitcoinAddress": 2, "IPv6": 13 }, "indicator_count": 26461, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669b8fa0d807682987a33cb7", "name": "https://ssl-proxy.my-addr.org/myaddrproxy.php/https/www.vgt.pl", "description": "Here is the full text of the X509 certificate, signed by Google LLC, which is published on 1 July 2014:. \u00c2\u00a31.4m.. (\u20ac2.3m)", "modified": "2024-10-20T00:48:20.932000", "created": "2024-07-20T10:21:20.075000", "tags": [ "submission", "globalsign root", "ougwny urzd", "oglobalsign", "ssdeep", "magic", "trid der", "file size", "history first", "analysis", "win32 exe", "narzdzie nokia", "best bb5", "aaaaa" ], "references": [ "https://viz.greynoise.io/analysis/399e2039-4568-4e91-95b1-56e4de" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 19, "FileHash-SHA256": 92, "IPv6": 6, "hostname": 111, "domain": 60, "URL": 638, "YARA": 1, "FileHash-IMPHASH": 1, "email": 4, "IPv4": 6, "CVE": 2 }, "indicator_count": 958, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668bfcb0b48a387b9d2c8562", "name": "Ministerstwo Finans\u00f3w - Portal Gov.pl", "description": "Pliki cookie zosta\u0142y ju\u017c zapisane i wydrukowane.\n5852be629358e18160c5483bfc8c9f0023b974565f2d59ce7f4497cc734b4ecd 30 pa\u017a 2022 b8a2476b55132fdf0531d6cd48126b759dc08a8f5b019917b62373e536a0b8c9 26 pa\u017a 2022 2700fbe4001e27ba55d72841817b0b9454954b496f21e4259c88919027172694 6 wrze\u015bnia 2022 r. 91da570586b7c04e3012215469ed8b8c5aa036068cc48ba7a7ac0d8cce34290e 5 wrze\u015bnia 2022 r. 1757d8363e28b35b9e29c44d0bc87e2a03d90ca50dadd780924528e0a13d49e1 31 sierpnia 2022 r. fe5744ed48406b90eae1747aab5386645406ad61cdc629ebc7ded97aa099ae28 30 lipca 2022 r. c730bac7a1da3b6263e7672c85cb4deb229c45479bd64bc7194a9a8bb16b8cb6 16 lipca 2022 r. 177b428ac63ad3b6c606ed11b33c9fc4d79f6ff5e6b3ac3ee849f1e2d1f2c903 16 lipca 2022 r. a35121637b79b7d926b63afceae409fdb35c14ad5431ecd199179622e1711ca6", "modified": "2024-10-17T05:28:49.118000", "created": "2024-07-08T14:50:24.496000", "tags": [ "polskiej", "przejd", "usugi dla", "logowanie", "profil zaufany", "skarbowa", "zobacz", "ksef", "zastpca szefa", "stopka", "rada", "inquest labs", "vba project", "vbaproject", "kopiuj md5", "kopiuj sha1", "skopiuj sha256", "sha1", "sha256", "typ tekst", "opis tekst", "ascii md5", "rozmiar", "typ dane", "pdf c", "text c", "ounizeto", "validation ca", "sha2", "odigicert inc", "cusa", "authority", "rsa ca", "cncertum domain", "cngeotrust ev", "oglobalsign", "unicode", "z bom", "crlf", "rgba", "dane obrazu", "tekst utf8", "v2 dokument", "dane", "dokument html", "jpeg", "skrt", "opis", "poczenie", "wifi", "start", "nazwa typ", "md5 nazwa", "procesu plik", "pe32", "intel", "pejzasz", "ms windows", "plik dokumentu", "nie c", "win32 exe", "crt.sh", "ct", "certificate transparency", "certificate search", "ssl certificate", "sectigo", "comodo ca", "comodo", "tls web", "criteria id", "647257375", "timestamp entry", "log operator", "log url", "google https", "ca mechanism", "provider status", "error", "log id", "647257567", "summary leaf", "sectigo https", "expired", "certificate", "lets", "key usage", "identifier", "551852229", "digicert https", "479894151", "479896285", "tylne drzwi", "win32", "imphasz", "wirustotal", "emaile", "emaile pnewell", "emaile khunter", "emaile eooshea", "emaile regadmin", "microsoft excel", "wed jan", "submission", "vhash", "ssdeep", "file type", "ms excel", "xls magic", "file v2", "document", "number", "algorithm", "certum", "unizeto", "warszawa", "31915086", "nitro pro", "nitro sign", "nitro", "nitro pdf", "primopdf", "pdfs", "business nitro", "pdf nitro", "pdf pro", "desktop", "premium", "service", "ja3s", "mnie", "sysv", "lsb executable", "eabi4 version", "msb executable", "mips", "mipsi version", "trojan", "imphash", "pehash", "name type", "md5 process", "fault", "header", "bezterminowo", "adres url", "nazwa hosta", "ipv4", "ccie asnas8075", "nie mona", "trojandropper", "url skryptw", "domeny a", "kliknij", "prbka skrt", "uwzgldnij", "nieobecny", "procesu", "ascii z", "ascii bez", "mirai", "win32virut", "procesu zastpy", "tekst ascii", "z terminatorami" ], "references": [ "http://www.mf.gov.pl/tutaj/a./p/body/html", "https://www.mf.gov.pl/tutaj/a./p/body/html", "https://mdec.nelreports.net/api/report?cat=mdocs", "https://crt.sh/?id=647257375", "https://crt.sh/?id=647257567", "https://crt.sh/?id=551852229", "https://crt.sh/?id=479894151", "https://crt.sh/?id=479896285", "https://crt.sh/?d=49659844", "https://crt.sh/?id=31915086", "http://www.primopdf.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "e74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 ELF :Mirai- MALWARE GH\\ [Trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "display_name": "e74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 ELF :Mirai- MALWARE GH\\ [Trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 127, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 627, "email": 41, "FileHash-SHA1": 1565, "FileHash-SHA256": 5520, "URL": 1821, "FileHash-MD5": 1861, "SSLCertFingerprint": 10, "domain": 167, "IPv4": 31, "YARA": 7, "CVE": 7 }, "indicator_count": 11657, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4", "http://www.mf.gov.pl/tutaj/a./p/body/html", "https://crt.sh/?id=479896285", "https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591", "https://crt.sh/?id=479894151", "http://www.primopdf.com/", "https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527", "https://viz.greynoise.io/analysis/399e2039-4568-4e91-95b1-56e4de", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778", "https://crt.sh/?id=551852229", "https://crt.sh/?d=49659844", "https://crt.sh/?id=31915086", "https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71", "https://mdec.nelreports.net/api/report?cat=mdocs", "https://s.go-mpulse.net/boomerang/XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "https://crt.sh/?id=647257375", "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23", "https://www.mf.gov.pl/tutaj/a./p/body/html", "https://crt.sh/?id=647257567" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "TrojanDownloader:Win32/Nemucod", "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri" ], "malware_families": [ "E74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 elf :mirai- malware gh\\ [trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "Mirai", "Serwer a przed\u0142u\u017cenie sesji #{text} wojcieszyce pl" ], "industries": [], "unique_indicators": 66675 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ginko.garden", "whois": "http://whois.domaintools.com/ginko.garden", "domain": "ginko.garden", "hostname": "www.ginko.garden" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "676493c5607a603f1785a935", "name": "https://ginko.garden/pl/contact tel:+48 797 920 339 ip4 77.79.221.180 77.79.221.148", "description": "Pasywna replikacja DNS: \n77.79.221.180 \nSugerowany opis:\nPe\u0142ny tekst Ginko.Garden - Nowoczesne dekoracje i pergole metalowe - wedi dweud eu glass - metaloplastyka.\nSugerowane identyfikatory ATT&CK:\nOgr\u00f3d - Nowoczesne dekoracje z metalu do ogrodu - bi\u017cuteria ogrodowa i dekoracje szklane - pergole metalowe - metaloplastyka Meta Tagi s\u0142owa kluczowe Nowoczesne dekoracje z metalu do ogrodu - pergole metalowe - Ginko.\n77.79.221.148 \n46.41.159.227 \n46.41.159.177", "modified": "2025-07-28T11:51:42.400000", "created": "2024-12-19T21:44:37.537000", "tags": [ "copyright", "customevent", "typeof e", "boomerang", "typeof t", "macintosh", "os x", "post", "typeof", "iframe", "date", "nazwa rekordu", "aaaaa", "na wniosek", "bezpieczestwo", "serwer", "przerwa", "informacja o", "prace", "nazwa", "hasze", "adresy url", "nazwa http", "configoverride", "continuity", "pageparam s", "iframedelay", "autoxhr", "historia", "nazwa https", "uytkownik", "zenbox", "komunikacja", "pliki", "rozmiar", "kb data", "wykrycia nie", "mitre", "ids nie", "sigmy nie", "submission", "sha256", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "trid hypertext", "markup language" ], "references": [ "https://s.go-mpulse.net/boomerang/XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1334, "hostname": 454, "domain": 346, "IPv6": 2, "IPv4": 36, "FileHash-SHA256": 1499, "FileHash-MD5": 92, "FileHash-SHA1": 74, "CVE": 1, "email": 1 }, "indicator_count": 3839, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "306 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6764c20a49646c5fc3c5a153", "name": "https://psz.zus.pl", "description": "Sugerowany opis:\nPe\u0142ny raport na temat plan\u00f3w polskiego rz\u0105du dotycz\u0105cych referendum unijnego zosta\u0142 opublikowany w serwisie Zus.pl oraz na stronie g\u0142\u00f3wnej tego portalu, kt\u00f3ra dzia\u0142a obecnie w tym samym czasie.", "modified": "2025-05-14T21:16:39.393000", "created": "2024-12-20T01:02:02.761000", "tags": [ "sha256", "vhash", "ssdeep", "zrzuty ekranu", "wykrycia", "pliki", "liczba prbek", "skopiuj", "ukryj prbki", "pokazywa", "skrt", "hash", "kthreaddi", "c start", "plik", "dgc4ph baza", "wiadomoci", "kompresor", "ip k40g", "layton m0355", "n o365", "ilo o2o", "skanowanie", "udostpnij", "plik sha256", "data", "zwizane z", "zoliwym", "awasta elf", "zakaenie", "pani obroczyni", "trojan", "mtb zakaenie", "ostatnia", "2063947519", "nazwa", "adresy url", "nazwa https", "adowania", "jeli plik", "clay", "ojsreso", "o poniej", "url https", "http request", "method get", "country a", "polandpoland as", "name zaklad", "as number", "mime type", "data size", "size", "critical", "frame id", "b time" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 259, "FileHash-SHA256": 282, "domain": 161, "hostname": 235, "FileHash-MD5": 192, "FileHash-SHA1": 190 }, "indicator_count": 1319, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665c84b687c5e16b95e8f8e", "name": "94.152.152.223 v65023.niebieski.net Cyber_Folks S.A. (vgt.pl)", "description": "SHA1 32223ade25c4a1d39cb8ac13042e8e6dfe3ca78f , SHA1 \n 99987c1ee1ddb7fd113abd65c836fbb71c3da4da\n Role: UPX , Ransomware , Trojan , Mirai , Buschido Mirai antywirusowe\nWin.Trojan.VBGeneric-6735875-0 , Robak:Win32/Mofksys.RND!MTB", "modified": "2024-12-31T01:53:43.222000", "created": "2024-06-09T15:20:43.178000", "tags": [ "expiration", "no expiration", "url http", "url https", "hostname", "domain", "ipv4", "filehashsha256", "fh no", "filehashmd5", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "pl o", "unizeto", "sa ou", "urzd", "certum cn" ], "references": [ "https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591", "https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71", "https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [ "Poland", "United States of America", "Germany", "Netherlands" ], "malware_families": [ { "id": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "display_name": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3205, "FileHash-SHA1": 2671, "FileHash-SHA256": 11469, "SSLCertFingerprint": 6, "URL": 5435, "domain": 1356, "email": 55, "hostname": 2205, "CVE": 13, "YARA": 4, "CIDR": 1, "IPv4": 25, "FileHash-IMPHASH": 1, "BitcoinAddress": 2, "IPv6": 13 }, "indicator_count": 26461, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669b8fa0d807682987a33cb7", "name": "https://ssl-proxy.my-addr.org/myaddrproxy.php/https/www.vgt.pl", "description": "Here is the full text of the X509 certificate, signed by Google LLC, which is published on 1 July 2014:. \u00c2\u00a31.4m.. (\u20ac2.3m)", "modified": "2024-10-20T00:48:20.932000", "created": "2024-07-20T10:21:20.075000", "tags": [ "submission", "globalsign root", "ougwny urzd", "oglobalsign", "ssdeep", "magic", "trid der", "file size", "history first", "analysis", "win32 exe", "narzdzie nokia", "best bb5", "aaaaa" ], "references": [ "https://viz.greynoise.io/analysis/399e2039-4568-4e91-95b1-56e4de" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 19, "FileHash-SHA256": 92, "IPv6": 6, "hostname": 111, "domain": 60, "URL": 638, "YARA": 1, "FileHash-IMPHASH": 1, "email": 4, "IPv4": 6, "CVE": 2 }, "indicator_count": 958, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "588 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668bfcb0b48a387b9d2c8562", "name": "Ministerstwo Finans\u00f3w - Portal Gov.pl", "description": "Pliki cookie zosta\u0142y ju\u017c zapisane i wydrukowane.\n5852be629358e18160c5483bfc8c9f0023b974565f2d59ce7f4497cc734b4ecd 30 pa\u017a 2022 b8a2476b55132fdf0531d6cd48126b759dc08a8f5b019917b62373e536a0b8c9 26 pa\u017a 2022 2700fbe4001e27ba55d72841817b0b9454954b496f21e4259c88919027172694 6 wrze\u015bnia 2022 r. 91da570586b7c04e3012215469ed8b8c5aa036068cc48ba7a7ac0d8cce34290e 5 wrze\u015bnia 2022 r. 1757d8363e28b35b9e29c44d0bc87e2a03d90ca50dadd780924528e0a13d49e1 31 sierpnia 2022 r. fe5744ed48406b90eae1747aab5386645406ad61cdc629ebc7ded97aa099ae28 30 lipca 2022 r. c730bac7a1da3b6263e7672c85cb4deb229c45479bd64bc7194a9a8bb16b8cb6 16 lipca 2022 r. 177b428ac63ad3b6c606ed11b33c9fc4d79f6ff5e6b3ac3ee849f1e2d1f2c903 16 lipca 2022 r. a35121637b79b7d926b63afceae409fdb35c14ad5431ecd199179622e1711ca6", "modified": "2024-10-17T05:28:49.118000", "created": "2024-07-08T14:50:24.496000", "tags": [ "polskiej", "przejd", "usugi dla", "logowanie", "profil zaufany", "skarbowa", "zobacz", "ksef", "zastpca szefa", "stopka", "rada", "inquest labs", "vba project", "vbaproject", "kopiuj md5", "kopiuj sha1", "skopiuj sha256", "sha1", "sha256", "typ tekst", "opis tekst", "ascii md5", "rozmiar", "typ dane", "pdf c", "text c", "ounizeto", "validation ca", "sha2", "odigicert inc", "cusa", "authority", "rsa ca", "cncertum domain", "cngeotrust ev", "oglobalsign", "unicode", "z bom", "crlf", "rgba", "dane obrazu", "tekst utf8", "v2 dokument", "dane", "dokument html", "jpeg", "skrt", "opis", "poczenie", "wifi", "start", "nazwa typ", "md5 nazwa", "procesu plik", "pe32", "intel", "pejzasz", "ms windows", "plik dokumentu", "nie c", "win32 exe", "crt.sh", "ct", "certificate transparency", "certificate search", "ssl certificate", "sectigo", "comodo ca", "comodo", "tls web", "criteria id", "647257375", "timestamp entry", "log operator", "log url", "google https", "ca mechanism", "provider status", "error", "log id", "647257567", "summary leaf", "sectigo https", "expired", "certificate", "lets", "key usage", "identifier", "551852229", "digicert https", "479894151", "479896285", "tylne drzwi", "win32", "imphasz", "wirustotal", "emaile", "emaile pnewell", "emaile khunter", "emaile eooshea", "emaile regadmin", "microsoft excel", "wed jan", "submission", "vhash", "ssdeep", "file type", "ms excel", "xls magic", "file v2", "document", "number", "algorithm", "certum", "unizeto", "warszawa", "31915086", "nitro pro", "nitro sign", "nitro", "nitro pdf", "primopdf", "pdfs", "business nitro", "pdf nitro", "pdf pro", "desktop", "premium", "service", "ja3s", "mnie", "sysv", "lsb executable", "eabi4 version", "msb executable", "mips", "mipsi version", "trojan", "imphash", "pehash", "name type", "md5 process", "fault", "header", "bezterminowo", "adres url", "nazwa hosta", "ipv4", "ccie asnas8075", "nie mona", "trojandropper", "url skryptw", "domeny a", "kliknij", "prbka skrt", "uwzgldnij", "nieobecny", "procesu", "ascii z", "ascii bez", "mirai", "win32virut", "procesu zastpy", "tekst ascii", "z terminatorami" ], "references": [ "http://www.mf.gov.pl/tutaj/a./p/body/html", "https://www.mf.gov.pl/tutaj/a./p/body/html", "https://mdec.nelreports.net/api/report?cat=mdocs", "https://crt.sh/?id=647257375", "https://crt.sh/?id=647257567", "https://crt.sh/?id=551852229", "https://crt.sh/?id=479894151", "https://crt.sh/?id=479896285", "https://crt.sh/?d=49659844", "https://crt.sh/?id=31915086", "http://www.primopdf.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "e74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 ELF :Mirai- MALWARE GH\\ [Trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "display_name": "e74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 ELF :Mirai- MALWARE GH\\ [Trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 127, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 627, "email": 41, "FileHash-SHA1": 1565, "FileHash-SHA256": 5520, "URL": 1821, "FileHash-MD5": 1861, "SSLCertFingerprint": 10, "domain": 167, "IPv4": 31, "YARA": 7, "CVE": 7 }, "indicator_count": 11657, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.ginko.garden", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.ginko.garden", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780221941.264847 }