{ "type": "URL", "indicator": "https://www.googleapis.com/auth/userinfo.email", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.googleapis.com/auth/userinfo.email", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #5790", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain googleapis.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain googleapis.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3212235340, "indicator": "https://www.googleapis.com/auth/userinfo.email", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69f99f0b14707306f5cb7a96", "name": "KidsProtect - A Near-Total Surveillance Toolkit", "description": "Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years.\n\nCerto has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim\u2019s phone. It can\u2019t be removed without the attacker\u2019s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own.\n\nThe tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner\u2019s knowledge.\nFrom a web-based dashboard, an operator can secretly record calls, stream live audio from the device\u2019s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.", "modified": "2026-05-05T07:40:59.536000", "created": "2026-05-05T07:40:59.536000", "tags": [ "capture", "kidsprotect", "android", "certo", "gps location", "whatsapp", "viber", "wifiservice", "protect", "remote access", "trojan", "parental", "stealth", "stream", "telegram", "service installer", "classes2.dex", "dalvik dex", "android", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "open th", "virustotal api", "comments", "iocs", "data upload", "extraction", "se boypes" ], "references": [ "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "Android Permissions Below:", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG,", "The app\u2019s package name \u2014 com.example.parentguard", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "com.example.parentguard", "The software is sold on a subscription basis starting from $60.", "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "Additional research by Q.Vashti" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "ALF:AndroidOSSuspiciousPerms.A", "display_name": "ALF:AndroidOSSuspiciousPerms.A", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 49, "domain": 3, "hostname": 5, "email": 1 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "455 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a464c07b076a6022abbe", "name": "Social Engineering - Anonymizer - Qakbot \u221a", "description": "", "modified": "2023-12-06T16:42:12.952000", "created": "2023-12-06T16:42:12.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0c0b966ec5b823d2ae7", "name": "PROXY - Defense Evasion \u2022 Malicious Spammer", "description": "", "modified": "2023-12-06T16:26:40.335000", "created": "2023-12-06T16:26:40.335000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a05bc6152413ed0fdbaa", "name": "Social Engineering -Striven Anonymizer", "description": "", "modified": "2023-12-06T16:24:59.615000", "created": "2023-12-06T16:24:59.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e26c454e86439fd9462541", "name": "Social Engineering -Striven Anonymizer", "description": "Optin Example: Affected (device w/vulnerabilities or in BotNetwork, etc) clocks on a ' Sponsored Ad' that fits search query. Will view webpage and Optin to be contacted by email and/or telephone. Both methods will likely be required by attacker. Bad actor will call immediately, quality of call can be surprisingly poor (obnoxiously noisy), BA takes assessment, quotes prices much higher than should be. You are desperate because no one else can help. Actor will demand email, will send various attachments, all malicious. Will not look suspicious, (strategy, video introduction, proposal, etc). Once you don't respond you may receive email contact from different email, more attachments. Follow ups...by now bad actor has full use of device. Spyware. Apps auto download, blocked from removal. Incredible cycle.\n\n\nLogin.aspx192.118.8.10 = 192.118.8.10\niphones.orange.co.il\nhttps://www.partner.co.il/n/login?utm_source=sm", "modified": "2023-09-19T20:04:24.850000", "created": "2023-08-20T19:40:53.299000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7c73087130803d20066ef", "name": "PROXY - Defense Evasion \u2022 Malicious Spammer ", "description": "", "modified": "2023-09-19T20:04:24.850000", "created": "2023-08-24T21:10:08.493000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": "64e26c454e86439fd9462541", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6500a47dd316d0ea5616044d", "name": "Social Engineering - Anonymizer - Qakbot \u221a", "description": "", "modified": "2023-09-19T20:04:24.850000", "created": "2023-09-12T17:48:45.349000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": "64e26c454e86439fd9462541", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://tria.ge/240517-vc7c1shc62/behavioral1", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG,", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "com.example.parentguard", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "Android Permissions Below:", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "AppRegistrationList.csv", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "Additional research by Q.Vashti", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "MilesIT", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://login.striven.com/Security/Login.aspx192.118.8.10", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "All - EnterpriseAppsList.csv", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "The software is sold on a subscription basis starting from $60.", "https://tria.ge/240521-q4s79agb25/static1", "The app\u2019s package name \u2014 com.example.parentguard", "https://urlscan.io/search/#ualberta.ca", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Striven", "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri" ], "malware_families": [ "Alf:monitoringtool:androidos/finspy", "Black basta (elf)", "Alf:androidossuspiciousperms.a", "Remote access" ], "industries": [ "Cyber security", "Telecommunications", "Healthcare", "Government", "Technology", "Education" ], "unique_indicators": 74020 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/googleapis.com", "whois": "http://whois.domaintools.com/googleapis.com", "domain": "googleapis.com", "hostname": "www.googleapis.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69f99f0b14707306f5cb7a96", "name": "KidsProtect - A Near-Total Surveillance Toolkit", "description": "Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years.\n\nCerto has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim\u2019s phone. It can\u2019t be removed without the attacker\u2019s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own.\n\nThe tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner\u2019s knowledge.\nFrom a web-based dashboard, an operator can secretly record calls, stream live audio from the device\u2019s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.", "modified": "2026-05-05T07:40:59.536000", "created": "2026-05-05T07:40:59.536000", "tags": [ "capture", "kidsprotect", "android", "certo", "gps location", "whatsapp", "viber", "wifiservice", "protect", "remote access", "trojan", "parental", "stealth", "stream", "telegram", "service installer", "classes2.dex", "dalvik dex", "android", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "open th", "virustotal api", "comments", "iocs", "data upload", "extraction", "se boypes" ], "references": [ "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "Android Permissions Below:", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG,", "The app\u2019s package name \u2014 com.example.parentguard", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "com.example.parentguard", "The software is sold on a subscription basis starting from $60.", "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "Additional research by Q.Vashti" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "ALF:AndroidOSSuspiciousPerms.A", "display_name": "ALF:AndroidOSSuspiciousPerms.A", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 49, "domain": 3, "hostname": 5, "email": 1 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "455 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a464c07b076a6022abbe", "name": "Social Engineering - Anonymizer - Qakbot \u221a", "description": "", "modified": "2023-12-06T16:42:12.952000", "created": "2023-12-06T16:42:12.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0c0b966ec5b823d2ae7", "name": "PROXY - Defense Evasion \u2022 Malicious Spammer", "description": "", "modified": "2023-12-06T16:26:40.335000", "created": "2023-12-06T16:26:40.335000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a05bc6152413ed0fdbaa", "name": "Social Engineering -Striven Anonymizer", "description": "", "modified": "2023-12-06T16:24:59.615000", "created": "2023-12-06T16:24:59.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "URL": 247, "FileHash-SHA256": 705, "hostname": 126, "FileHash-MD5": 17, "FileHash-SHA1": 13 }, "indicator_count": 1136, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e26c454e86439fd9462541", "name": "Social Engineering -Striven Anonymizer", "description": "Optin Example: Affected (device w/vulnerabilities or in BotNetwork, etc) clocks on a ' Sponsored Ad' that fits search query. Will view webpage and Optin to be contacted by email and/or telephone. Both methods will likely be required by attacker. Bad actor will call immediately, quality of call can be surprisingly poor (obnoxiously noisy), BA takes assessment, quotes prices much higher than should be. You are desperate because no one else can help. Actor will demand email, will send various attachments, all malicious. Will not look suspicious, (strategy, video introduction, proposal, etc). Once you don't respond you may receive email contact from different email, more attachments. Follow ups...by now bad actor has full use of device. Spyware. Apps auto download, blocked from removal. Incredible cycle.\n\n\nLogin.aspx192.118.8.10 = 192.118.8.10\niphones.orange.co.il\nhttps://www.partner.co.il/n/login?utm_source=sm", "modified": "2023-09-19T20:04:24.850000", "created": "2023-08-20T19:40:53.299000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7c73087130803d20066ef", "name": "PROXY - Defense Evasion \u2022 Malicious Spammer ", "description": "", "modified": "2023-09-19T20:04:24.850000", "created": "2023-08-24T21:10:08.493000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": "64e26c454e86439fd9462541", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6500a47dd316d0ea5616044d", "name": "Social Engineering - Anonymizer - Qakbot \u221a", "description": "", "modified": "2023-09-19T20:04:24.850000", "created": "2023-09-12T17:48:45.349000", "tags": [ "qakbot", "string", "social engineering", "click", "malspam", "chromeua", "optout", "drmedgeua", "pattern match", "unicode", "optin", "suspicious", "footer", "ansi", "dropped file", "localappdata", "scam", "anonymizer", "Binary Padding", "Apt", "Defense Evasion", "junk files" ], "references": [ "https://login.striven.com/Security/Login.aspx192.118.8.10", "MilesIT" ], "public": 1, "adversary": "Striven", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "Black Basta (ELF)", "display_name": "Black Basta (ELF)", "target": null }, { "id": "ALF:MonitoringTool:AndroidOS/FinSpy", "display_name": "ALF:MonitoringTool:AndroidOS/FinSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security" ], "TLP": "white", "cloned_from": "64e26c454e86439fd9462541", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 201, "domain": 52, "URL": 443, "FileHash-MD5": 17, "FileHash-SHA256": 738, "FileHash-SHA1": 13 }, "indicator_count": 1464, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.googleapis.com/auth/userinfo.email", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.googleapis.com/auth/userinfo.email", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780185077.780221 }