{ "type": "URL", "indicator": "https://www.reductioneo.com/codepromo/desenio.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.reductioneo.com/codepromo/desenio.html", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3101310993, "indicator": "https://www.reductioneo.com/codepromo/desenio.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a1eb8b10286d8a660208d22", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T12:38:38.917000", "created": "2026-06-02T11:04:17.633000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4776, "domain": 2347, "hostname": 1885, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15032, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1eb89e870b00e5430358ca", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T11:31:42.087000", "created": "2026-06-02T11:03:58.997000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4775, "domain": 2346, "hostname": 1884, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15029, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1eb89f53c0a70219dddefb", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T11:31:40.987000", "created": "2026-06-02T11:03:59.936000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4778, "domain": 2347, "hostname": 1888, "SSLCertFingerprint": 15, "email": 16, "CVE": 1, "IPv4": 1 }, "indicator_count": 15038, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692440efac39f5213329f13", "name": "Mustang Panda: Oxypumper | Ransom Suspicious verifier SpyTox", "description": "Mustang Panda is an alleged;China-based' non-governmental cyber espionage threat actor that was first observed in 2017. Targeting non-governmental civilians. Likely target is in many bot networks. Potential HoneyPot, this tool makes itself visible to target when researching the validity of an email or phone number. Notable for Gand Crane ransomware text embedded in SpyTox page image. Injection process observed. Affects most types of devices including iOS and Android. Critical issues found. IP's registrar's, domains 'not' contacted.\n\nHackers, harassment, cybercrime, cyber espionage.", "modified": "2024-08-12T08:04:00.041000", "created": "2024-07-13T09:08:30.431000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4773, "domain": 2346, "hostname": 1884, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15027, "is_author": false, "is_subscribing": null, "subscriber_count": 238, "modified_text": "660 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "https://www.YouTube.com/polebote", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "http://netuser.joymeng.com/charge_apple/notify", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "https://www.passcreator.com/en/apple-wallet-passes", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "apple-business.cancom.at", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "Apple - 162.55.158.153", "Subject: DE Certificate Subject: Berlin Certificate Subject", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "DotNET_Crypto_Obfuscator", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "ns2.tsaratsovo.net", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Mustang Panda" ], "malware_families": [ "Ransom:win32/gandcrab.ae", "Trojan:win32/salgorea.c!mtb", "Win32/trickler", "Worm:win32/yuner.a", "Tel:msil/dlsocconsend", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Cycbot", "#lowfi:tool:win32/vbstoexev2e", "Crypt2.azdi", "Cve 2007695", "Worm:win32/autorun.xfv", "Trojan:win32/salgorea", "Unruy", "Backdoor:win32/plugx", "Win.trojan.generic", "Trojan:win32/aenjaris.al!bit", "Ddos:linux/lightaidra", "Trojan:win32/eyestye.t", "Win.trojan.zegost", "Trojandropper:win32/muldrop.v!mtb", "Win.malware.hd0kzai-9985588-0", "Win32:androp", "Win.malware.barys-6840738-0", "Androp", "Trojandropper:win32/tofsee", "Trojanspy", "Backdoor:win32/tofsee.t", "Et", "Pws:win32/qqpass", "Trojan:win32/glupteba.mt!mtb", "Trojan:win32/agent.ag!mtb", "Win.malware.oxypumper-6900445-0", "Trojan:win32/qqpass", "Inject.brdv", "Wormwin32/mofksys.rnd!mtb", "Trojan:win32/blihan.a", "Trojandropper:win32/vb.il" ], "industries": [], "unique_indicators": 26239 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/reductioneo.com", "whois": "http://whois.domaintools.com/reductioneo.com", "domain": "reductioneo.com", "hostname": "www.reductioneo.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a1eb8b10286d8a660208d22", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T12:38:38.917000", "created": "2026-06-02T11:04:17.633000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4776, "domain": 2347, "hostname": 1885, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15032, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1eb89e870b00e5430358ca", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T11:31:42.087000", "created": "2026-06-02T11:03:58.997000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4775, "domain": 2346, "hostname": 1884, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15029, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1eb89f53c0a70219dddefb", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T11:31:40.987000", "created": "2026-06-02T11:03:59.936000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4778, "domain": 2347, "hostname": 1888, "SSLCertFingerprint": 15, "email": 16, "CVE": 1, "IPv4": 1 }, "indicator_count": 15038, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692440efac39f5213329f13", "name": "Mustang Panda: Oxypumper | Ransom Suspicious verifier SpyTox", "description": "Mustang Panda is an alleged;China-based' non-governmental cyber espionage threat actor that was first observed in 2017. Targeting non-governmental civilians. Likely target is in many bot networks. Potential HoneyPot, this tool makes itself visible to target when researching the validity of an email or phone number. Notable for Gand Crane ransomware text embedded in SpyTox page image. Injection process observed. Affects most types of devices including iOS and Android. Critical issues found. IP's registrar's, domains 'not' contacted.\n\nHackers, harassment, cybercrime, cyber espionage.", "modified": "2024-08-12T08:04:00.041000", "created": "2024-07-13T09:08:30.431000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4773, "domain": 2346, "hostname": 1884, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15027, "is_author": false, "is_subscribing": null, "subscriber_count": 238, "modified_text": "660 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.reductioneo.com/codepromo/desenio.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.reductioneo.com/codepromo/desenio.html", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780494736.3982894 }