{ "type": "URL", "indicator": "https://www.snapacc.com/features", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.snapacc.com/features", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3772094829, "indicator": "https://www.snapacc.com/features", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6a00eef29b122fc211e1a85c", "name": "Copy of 5[.]1[.]0[.]0 - 05.10.26", "description": "If I didn't know better, I would guess that is AWS, Fastly, Cloudflare botnet activity Targetting Urkraine\n\nOrigin: Edmonton, Alnerta", "modified": "2026-05-10T20:47:46.993000", "created": "2026-05-10T20:47:46.993000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/gd6bc2ac4a2bd4707b7287f9643acea44af35721b1f3243b385313ddc60862e0a?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 370, "IPv4": 572, "IPv6": 1, "URL": 77, "domain": 35, "hostname": 134 }, "indicator_count": 1250, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670e79d0083d46c0532d2602", "name": "5[.]1[.]0[.]0 - Windows NT & Program Files IE - 10.15.24", "description": "Hgkghk, \u00c2\u00a31.1m, is the latest in a series of names to be added to the list of domain names that can be used to track users' activity.\nWorking my way around this Pesky IP", "modified": "2024-11-14T14:02:16.695000", "created": "2024-10-15T14:18:56.639000", "tags": [ "entity", "Windows NT", "Internet Explorer", "Program Files" ], "references": [ "https://www.virustotal.com/graph/embed/g4ba19a7ec3564c599b1b8d19935cc3ccb7b538708e9b4a3b9048ec86e0062e01?theme=dark", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/iocs", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/community", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 41, "FileHash-SHA1": 38, "FileHash-SHA256": 256, "domain": 21, "hostname": 131 }, "indicator_count": 564, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669ac41b3186b8cc8c40e9e3", "name": "Powershell", "description": "Matches rule PowerShell Module File Created By Non-PowerShell Process by Nasreddine Bencherchali\nDetects creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\n\nFilescan.io\nWindowsPowerShell.zip\napplication/zip\nMD5:\n07d37fc575e373f878ae3c7cca2bfc25\nSHA1:\na2fc89aba12f8739184d44d0fffbe6323d9654eb\nSHA256:\ne75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832\nSHA512:\n36dc7349d052cd474818a6ae3149eda469d829cf2e4d9a0e55252468cdf9e9704d5293b8b4f73b4a25b07f8c8dd8eeab2ed18bbb1ff7d76958b51eb555562339\n\nTriage:\nhttps://tria.ge/240719-taxv5aydlj\nhttps://tria.ge/240719-tfpfyasdqh\nhttps://tria.ge/240719-tj9laasfke\nhttps://tria.ge/240719-tnb6kssgmc\nhttps://tria.ge/240719-trwpdsshqh\nhttps://tria.ge/240719-tv84wstbkg\nhttps://tria.ge/240719-t1hh5atcpd\nhttps://tria.ge/240719-t7wpbszgkl\n\nMalcore: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/669993193506cdb760b3f36a\n\nKaspersky: E75FF18EE5C7226E225AA9959DF439F1488DF8CD3D43F5471361ED0426700832", "modified": "2024-09-01T17:02:12.379000", "created": "2024-07-19T19:52:59.626000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4402, "URL": 1463, "domain": 621, "hostname": 1159, "FileHash-MD5": 423, "FileHash-SHA1": 423 }, "indicator_count": 8491, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669dc20b2ec2a686e9ed843e", "name": "Windows NT - C:/Program Files (x86)/Windows NT", "description": "Malicious: 7Zip.zip, a free version of the Windows NT operating system, has been detected by a Malware Analysis Service (Sigma) lab in the United States and Canada. (Autopopulated?). Just another weird folder to add to the mix that was not previously accessible. 5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221\nWindows NT[.]zip file", "modified": "2024-08-21T03:00:33.424000", "created": "2024-07-22T02:20:59.937000", "tags": [ "please", "javascript", "pe file", "found", "pe32", "intel", "ms windows", "crlf line", "unicode text", "utf16", "drops pe", "sample", "persistence", "window", "malicious", "next" ], "references": [ "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b", "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b/iocs", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721614596&Signature=WubzxRzhz06z30Pgd8w6R%2BdwGreVCl76oWHIBJW%2FPhuiahy%2BKPBa0Y1cptDoHe%2FSnD5OwFE3uPWg18sU0SXZO7CUEtodS%2FYZlMce7FgIxwCsUqvh7%2BkILBPNPDsGrIfexaXhe641XUTko%2Fo%2Fcars0iVw6CnukWiv0DnK1t1zKGMCls%2FHoGmwpyHek%2FkQ2sca268dQOUMVSVzxE9QbDQ0E%2BNihVlMHPtAEEdg%2BurasEZODt", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721614830&Signature=NTWjzMWu2x%2FkDLDFhG9X9xvH6EZ0IW%2FisoVAx0C3qvHgB4TTNcLON9vnq3O9jZ0bTh%2Fwk5dkL5cDMsNvLvGR1B%2FrpzsoMpuK9Mmg50INMJTbjwZ5Vu2XEWp1V%2FrexsvVs82X6Oa1HcECHD4hXmOLuoSIaacahnbPmR%2BBKib%2B2f1TrM6b0yuDq%2BOHT4zcR6v4bo69uM4AJFjzW%2BNA4dsxYMrU8G0doh%2BEFIK2CyZvmw", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721615193&Signature=PbnANR1kKnesU7akusFUK8oBOXYVc4hPuTdStvFSFM%2BnDu9vfEsXFjD1zEiZCSxoM%2B0A1GMGPJArkT6FN%2By%2F0N%2FbxIAAMzxWRmHRd4YFeONRu9C2vCHf%2F6JD634xZLjfXPCf6nwhhTyAug1taMd8v2JJ33lGG5T3AAlP7Bc3ounfWTA291yHU%2Br59ufC1oQWOiyy3eGpGeDHl1cNiX%2F40yJu0JHNayirdVkD5lwHuYjYPl", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721615218&Signature=YjJ0hU1H00M55fIA41nFsmUizSBNr3FtpSLt0GV61jRcAh5OxSIIYGN3kT%2FWr%2BG%2FKqVVk1grZTqOYJrD3YeacZViaR%2FIVGlXeXI5E3eEeaAUVETcHpkg6Mwc0FfXOjI6P84PAOdrlUO2EmvpdwLw2O24jeenYvzirj1GT0QoWcJ5HVxbf44kkgMmkFnwmVi0PSoEd81v%2FVt5gk3mIvduX4TqxQsFn9DexYVu3DAwat%2BGZG%2BBn8d3rhTb", "https://www.virustotal.com/graph/embed/g55a5bfd817c3452fbde7286cc24f2a257fad6ebbf582418fa2844e88137bed40?theme=dark", "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b/graph", "https://viz.greynoise.io/analysis/2e808001-e8be-4300-9fb5-8304538c9cf6", "https://tria.ge/240722-engzhawdmf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [ "Technology", "Education", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7958, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 280, "FileHash-SHA1": 165, "FileHash-SHA256": 754, "hostname": 195, "URL": 367, "domain": 111 }, "indicator_count": 1872, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "651 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a975e2a76dd4ddaec80a", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "", "modified": "2023-12-06T17:03:49.269000", "created": "2023-12-06T17:03:49.269000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "FileHash-SHA1": 545, "FileHash-MD5": 1071 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652c33c45c1f1566c4b8c6a2", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "https://login.live.com/oauth20_remoteconnect.srf\nInvalid CRDS Token\nI suffered quite an attack on my devices. My personal experience, phone service changed, embedding., privilege escalation adversaries, remote probe, obvious unauthorized microsoft usage multiple logins. embedded phone service apps, injected, unknown apps, dumping. connect/shared/ tethered to other clouds, apps devices, decrypted phone., cookies turned off after attack, no Google, other search engine access, passwords compromised malicious Google sorry index w/Azorult. I am targeted. Usual suspects\nPrior: 'D241 connect test was successful messages'. Wifi and cellular issues.\nAftermath, Zombie devices. C2. Calls don't connect, keyloggers, etc", "modified": "2023-11-14T17:01:45.019000", "created": "2023-10-15T18:47:32.354000", "tags": [ "whois record", "historical ssl", "ssl certificate", "communicating", "referrer", "united", "mail spammer", "detection list", "ip address", "blacklist", "possiblecerber", "outlook", "covid19", "artemis", "unsafe", "cisco umbrella", "site", "safe site", "phishing site", "malicious site", "malware", "malware site", "alexa top", "million", "phishingms", "exploit", "live", "blacklist https", "javascript", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "p3p cp", "pragma", "whois whois", "contacted", "threat network", "pe resource", "uatrue url", "typepv", "probe", "execution", "core", "emotet", "remcos", "nokoyawa", "asyncrat", "heur", "anonymizer", "firehol", "trojanx", "agent", "riskware", "trojan", "binder", "small", "downloader", "hupigon", "crypt", "cobalt strike", "union", "team", "agent tesla", "malicious", "fakealert", "dbatloader", "stealer", "nanocore rat", "formbook", "dropper", "dridex", "hawkeye", "netwire", "download", "opencandy", "bladabindi", "phishing", "bank", "alexa", "trojanspy", "maltiverse", "uatrue", "processorx86", "langen", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "injected", "mitre", "attack", "cybercrime", "Suspicious.Save", "dns server", "scanning ip's", "Backdoor.Remcos", "Threats200220200050", "IOC_19052020", "behaves like emotet" ], "references": [ "https://login.live.com/oauth20_remoteconnect.srf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "HawkEye Keylogger", "display_name": "HawkEye Keylogger", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Application.Generic", "display_name": "Application.Generic", "target": null }, { "id": "Backdoor.RemoteManipulator", "display_name": "Backdoor.RemoteManipulator", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "XOR.DDoS", "display_name": "XOR.DDoS", "target": null }, { "id": "Backdoor.Remcos", "display_name": "Backdoor.Remcos", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1071, "FileHash-SHA1": 545, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "CVE": 8 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1c989df5416bd0ff3d38", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "", "modified": "2023-11-14T17:01:45.019000", "created": "2023-10-30T03:01:44.846000", "tags": [ "whois record", "historical ssl", "ssl certificate", "communicating", "referrer", "united", "mail spammer", "detection list", "ip address", "blacklist", "possiblecerber", "outlook", "covid19", "artemis", "unsafe", "cisco umbrella", "site", "safe site", "phishing site", "malicious site", "malware", "malware site", "alexa top", "million", "phishingms", "exploit", "live", "blacklist https", "javascript", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "p3p cp", "pragma", "whois whois", "contacted", "threat network", "pe resource", "uatrue url", "typepv", "probe", "execution", "core", "emotet", "remcos", "nokoyawa", "asyncrat", "heur", "anonymizer", "firehol", "trojanx", "agent", "riskware", "trojan", "binder", "small", "downloader", "hupigon", "crypt", "cobalt strike", "union", "team", "agent tesla", "malicious", "fakealert", "dbatloader", "stealer", "nanocore rat", "formbook", "dropper", "dridex", "hawkeye", "netwire", "download", "opencandy", "bladabindi", "phishing", "bank", "alexa", "trojanspy", "maltiverse", "uatrue", "processorx86", "langen", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "injected", "mitre", "attack", "cybercrime", "Suspicious.Save", "dns server", "scanning ip's", "Backdoor.Remcos", "Threats200220200050", "IOC_19052020", "behaves like emotet" ], "references": [ "https://login.live.com/oauth20_remoteconnect.srf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "HawkEye Keylogger", "display_name": "HawkEye Keylogger", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Application.Generic", "display_name": "Application.Generic", "target": null }, { "id": "Backdoor.RemoteManipulator", "display_name": "Backdoor.RemoteManipulator", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "XOR.DDoS", "display_name": "XOR.DDoS", "target": null }, { "id": "Backdoor.Remcos", "display_name": "Backdoor.Remcos", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "652c33c45c1f1566c4b8c6a2", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1071, "FileHash-SHA1": 545, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "CVE": 8 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/community", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8", "https://www.virustotal.com/graph/embed/g55a5bfd817c3452fbde7286cc24f2a257fad6ebbf582418fa2844e88137bed40?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721615193&Signature=PbnANR1kKnesU7akusFUK8oBOXYVc4hPuTdStvFSFM%2BnDu9vfEsXFjD1zEiZCSxoM%2B0A1GMGPJArkT6FN%2By%2F0N%2FbxIAAMzxWRmHRd4YFeONRu9C2vCHf%2F6JD634xZLjfXPCf6nwhhTyAug1taMd8v2JJ33lGG5T3AAlP7Bc3ounfWTA291yHU%2Br59ufC1oQWOiyy3eGpGeDHl1cNiX%2F40yJu0JHNayirdVkD5lwHuYjYPl", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721614596&Signature=WubzxRzhz06z30Pgd8w6R%2BdwGreVCl76oWHIBJW%2FPhuiahy%2BKPBa0Y1cptDoHe%2FSnD5OwFE3uPWg18sU0SXZO7CUEtodS%2FYZlMce7FgIxwCsUqvh7%2BkILBPNPDsGrIfexaXhe641XUTko%2Fo%2Fcars0iVw6CnukWiv0DnK1t1zKGMCls%2FHoGmwpyHek%2FkQ2sca268dQOUMVSVzxE9QbDQ0E%2BNihVlMHPtAEEdg%2BurasEZODt", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b/iocs", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "All - EnterpriseAppsList.csv", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://urlscan.io/search/#ualberta.ca", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/graph", "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b/graph", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721615218&Signature=YjJ0hU1H00M55fIA41nFsmUizSBNr3FtpSLt0GV61jRcAh5OxSIIYGN3kT%2FWr%2BG%2FKqVVk1grZTqOYJrD3YeacZViaR%2FIVGlXeXI5E3eEeaAUVETcHpkg6Mwc0FfXOjI6P84PAOdrlUO2EmvpdwLw2O24jeenYvzirj1GT0QoWcJ5HVxbf44kkgMmkFnwmVi0PSoEd81v%2FVt5gk3mIvduX4TqxQsFn9DexYVu3DAwat%2BGZG%2BBn8d3rhTb", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "AppRegistrationList.csv", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/iocs", "https://tria.ge/240521-q4s79agb25/static1", "https://tria.ge/240722-engzhawdmf", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721614830&Signature=NTWjzMWu2x%2FkDLDFhG9X9xvH6EZ0IW%2FisoVAx0C3qvHgB4TTNcLON9vnq3O9jZ0bTh%2Fwk5dkL5cDMsNvLvGR1B%2FrpzsoMpuK9Mmg50INMJTbjwZ5Vu2XEWp1V%2FrexsvVs82X6Oa1HcECHD4hXmOLuoSIaacahnbPmR%2BBKib%2B2f1TrM6b0yuDq%2BOHT4zcR6v4bo69uM4AJFjzW%2BNA4dsxYMrU8G0doh%2BEFIK2CyZvmw", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://login.live.com/oauth20_remoteconnect.srf", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "Thor Scan: S-I9VvMTB6cZU", "https://www.virustotal.com/graph/embed/gd6bc2ac4a2bd4707b7287f9643acea44af35721b1f3243b385313ddc60862e0a?theme=dark", "https://viz.greynoise.io/analysis/2e808001-e8be-4300-9fb5-8304538c9cf6", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "https://www.virustotal.com/graph/embed/g4ba19a7ec3564c599b1b8d19935cc3ccb7b538708e9b4a3b9048ec86e0062e01?theme=dark" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojanspy", "Agent tesla - s0331", "Maltiverse", "Gen:heur.ransom.hiddentears", "Application.generic", "Xor.ddos", "Backdoor.remotemanipulator", "Hawkeye keylogger", "Backdoor.remcos", "Suspicious.save", "Dridex" ], "industries": [ "Healthcare", "Education", "Telecommunications", "Government", "Technology" ], "unique_indicators": 57744 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/snapacc.com", "whois": "http://whois.domaintools.com/snapacc.com", "domain": "snapacc.com", "hostname": "www.snapacc.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6a00eef29b122fc211e1a85c", "name": "Copy of 5[.]1[.]0[.]0 - 05.10.26", "description": "If I didn't know better, I would guess that is AWS, Fastly, Cloudflare botnet activity Targetting Urkraine\n\nOrigin: Edmonton, Alnerta", "modified": "2026-05-10T20:47:46.993000", "created": "2026-05-10T20:47:46.993000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/gd6bc2ac4a2bd4707b7287f9643acea44af35721b1f3243b385313ddc60862e0a?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 370, "IPv4": 572, "IPv6": 1, "URL": 77, "domain": 35, "hostname": 134 }, "indicator_count": 1250, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670e79d0083d46c0532d2602", "name": "5[.]1[.]0[.]0 - Windows NT & Program Files IE - 10.15.24", "description": "Hgkghk, \u00c2\u00a31.1m, is the latest in a series of names to be added to the list of domain names that can be used to track users' activity.\nWorking my way around this Pesky IP", "modified": "2024-11-14T14:02:16.695000", "created": "2024-10-15T14:18:56.639000", "tags": [ "entity", "Windows NT", "Internet Explorer", "Program Files" ], "references": [ "https://www.virustotal.com/graph/embed/g4ba19a7ec3564c599b1b8d19935cc3ccb7b538708e9b4a3b9048ec86e0062e01?theme=dark", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/iocs", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/community", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 41, "FileHash-SHA1": 38, "FileHash-SHA256": 256, "domain": 21, "hostname": 131 }, "indicator_count": 564, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669ac41b3186b8cc8c40e9e3", "name": "Powershell", "description": "Matches rule PowerShell Module File Created By Non-PowerShell Process by Nasreddine Bencherchali\nDetects creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\n\nFilescan.io\nWindowsPowerShell.zip\napplication/zip\nMD5:\n07d37fc575e373f878ae3c7cca2bfc25\nSHA1:\na2fc89aba12f8739184d44d0fffbe6323d9654eb\nSHA256:\ne75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832\nSHA512:\n36dc7349d052cd474818a6ae3149eda469d829cf2e4d9a0e55252468cdf9e9704d5293b8b4f73b4a25b07f8c8dd8eeab2ed18bbb1ff7d76958b51eb555562339\n\nTriage:\nhttps://tria.ge/240719-taxv5aydlj\nhttps://tria.ge/240719-tfpfyasdqh\nhttps://tria.ge/240719-tj9laasfke\nhttps://tria.ge/240719-tnb6kssgmc\nhttps://tria.ge/240719-trwpdsshqh\nhttps://tria.ge/240719-tv84wstbkg\nhttps://tria.ge/240719-t1hh5atcpd\nhttps://tria.ge/240719-t7wpbszgkl\n\nMalcore: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/669993193506cdb760b3f36a\n\nKaspersky: E75FF18EE5C7226E225AA9959DF439F1488DF8CD3D43F5471361ED0426700832", "modified": "2024-09-01T17:02:12.379000", "created": "2024-07-19T19:52:59.626000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4402, "URL": 1463, "domain": 621, "hostname": 1159, "FileHash-MD5": 423, "FileHash-SHA1": 423 }, "indicator_count": 8491, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669dc20b2ec2a686e9ed843e", "name": "Windows NT - C:/Program Files (x86)/Windows NT", "description": "Malicious: 7Zip.zip, a free version of the Windows NT operating system, has been detected by a Malware Analysis Service (Sigma) lab in the United States and Canada. (Autopopulated?). Just another weird folder to add to the mix that was not previously accessible. 5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221\nWindows NT[.]zip file", "modified": "2024-08-21T03:00:33.424000", "created": "2024-07-22T02:20:59.937000", "tags": [ "please", "javascript", "pe file", "found", "pe32", "intel", "ms windows", "crlf line", "unicode text", "utf16", "drops pe", "sample", "persistence", "window", "malicious", "next" ], "references": [ "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b", "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b/iocs", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721614596&Signature=WubzxRzhz06z30Pgd8w6R%2BdwGreVCl76oWHIBJW%2FPhuiahy%2BKPBa0Y1cptDoHe%2FSnD5OwFE3uPWg18sU0SXZO7CUEtodS%2FYZlMce7FgIxwCsUqvh7%2BkILBPNPDsGrIfexaXhe641XUTko%2Fo%2Fcars0iVw6CnukWiv0DnK1t1zKGMCls%2FHoGmwpyHek%2FkQ2sca268dQOUMVSVzxE9QbDQ0E%2BNihVlMHPtAEEdg%2BurasEZODt", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721614830&Signature=NTWjzMWu2x%2FkDLDFhG9X9xvH6EZ0IW%2FisoVAx0C3qvHgB4TTNcLON9vnq3O9jZ0bTh%2Fwk5dkL5cDMsNvLvGR1B%2FrpzsoMpuK9Mmg50INMJTbjwZ5Vu2XEWp1V%2FrexsvVs82X6Oa1HcECHD4hXmOLuoSIaacahnbPmR%2BBKib%2B2f1TrM6b0yuDq%2BOHT4zcR6v4bo69uM4AJFjzW%2BNA4dsxYMrU8G0doh%2BEFIK2CyZvmw", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721615193&Signature=PbnANR1kKnesU7akusFUK8oBOXYVc4hPuTdStvFSFM%2BnDu9vfEsXFjD1zEiZCSxoM%2B0A1GMGPJArkT6FN%2By%2F0N%2FbxIAAMzxWRmHRd4YFeONRu9C2vCHf%2F6JD634xZLjfXPCf6nwhhTyAug1taMd8v2JJ33lGG5T3AAlP7Bc3ounfWTA291yHU%2Br59ufC1oQWOiyy3eGpGeDHl1cNiX%2F40yJu0JHNayirdVkD5lwHuYjYPl", "https://vtbehaviour.commondatastorage.googleapis.com/5aa3fc90d8b22602c17059a562f58587f4c25c0bac42b5c2681fb098cac16221_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721615218&Signature=YjJ0hU1H00M55fIA41nFsmUizSBNr3FtpSLt0GV61jRcAh5OxSIIYGN3kT%2FWr%2BG%2FKqVVk1grZTqOYJrD3YeacZViaR%2FIVGlXeXI5E3eEeaAUVETcHpkg6Mwc0FfXOjI6P84PAOdrlUO2EmvpdwLw2O24jeenYvzirj1GT0QoWcJ5HVxbf44kkgMmkFnwmVi0PSoEd81v%2FVt5gk3mIvduX4TqxQsFn9DexYVu3DAwat%2BGZG%2BBn8d3rhTb", "https://www.virustotal.com/graph/embed/g55a5bfd817c3452fbde7286cc24f2a257fad6ebbf582418fa2844e88137bed40?theme=dark", "https://www.virustotal.com/gui/collection/f5f44695fd1867e0fff2ea76012911e5f5cab334910729fb71a9bc62bd3b918b/graph", "https://viz.greynoise.io/analysis/2e808001-e8be-4300-9fb5-8304538c9cf6", "https://tria.ge/240722-engzhawdmf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [ "Technology", "Education", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7958, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 280, "FileHash-SHA1": 165, "FileHash-SHA256": 754, "hostname": 195, "URL": 367, "domain": 111 }, "indicator_count": 1872, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "651 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a975e2a76dd4ddaec80a", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "", "modified": "2023-12-06T17:03:49.269000", "created": "2023-12-06T17:03:49.269000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "FileHash-SHA1": 545, "FileHash-MD5": 1071 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652c33c45c1f1566c4b8c6a2", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "https://login.live.com/oauth20_remoteconnect.srf\nInvalid CRDS Token\nI suffered quite an attack on my devices. My personal experience, phone service changed, embedding., privilege escalation adversaries, remote probe, obvious unauthorized microsoft usage multiple logins. embedded phone service apps, injected, unknown apps, dumping. connect/shared/ tethered to other clouds, apps devices, decrypted phone., cookies turned off after attack, no Google, other search engine access, passwords compromised malicious Google sorry index w/Azorult. I am targeted. Usual suspects\nPrior: 'D241 connect test was successful messages'. Wifi and cellular issues.\nAftermath, Zombie devices. C2. Calls don't connect, keyloggers, etc", "modified": "2023-11-14T17:01:45.019000", "created": "2023-10-15T18:47:32.354000", "tags": [ "whois record", "historical ssl", "ssl certificate", "communicating", "referrer", "united", "mail spammer", "detection list", "ip address", "blacklist", "possiblecerber", "outlook", "covid19", "artemis", "unsafe", "cisco umbrella", "site", "safe site", "phishing site", "malicious site", "malware", "malware site", "alexa top", "million", "phishingms", "exploit", "live", "blacklist https", "javascript", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "p3p cp", "pragma", "whois whois", "contacted", "threat network", "pe resource", "uatrue url", "typepv", "probe", "execution", "core", "emotet", "remcos", "nokoyawa", "asyncrat", "heur", "anonymizer", "firehol", "trojanx", "agent", "riskware", "trojan", "binder", "small", "downloader", "hupigon", "crypt", "cobalt strike", "union", "team", "agent tesla", "malicious", "fakealert", "dbatloader", "stealer", "nanocore rat", "formbook", "dropper", "dridex", "hawkeye", "netwire", "download", "opencandy", "bladabindi", "phishing", "bank", "alexa", "trojanspy", "maltiverse", "uatrue", "processorx86", "langen", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "injected", "mitre", "attack", "cybercrime", "Suspicious.Save", "dns server", "scanning ip's", "Backdoor.Remcos", "Threats200220200050", "IOC_19052020", "behaves like emotet" ], "references": [ "https://login.live.com/oauth20_remoteconnect.srf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "HawkEye Keylogger", "display_name": "HawkEye Keylogger", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Application.Generic", "display_name": "Application.Generic", "target": null }, { "id": "Backdoor.RemoteManipulator", "display_name": "Backdoor.RemoteManipulator", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "XOR.DDoS", "display_name": "XOR.DDoS", "target": null }, { "id": "Backdoor.Remcos", "display_name": "Backdoor.Remcos", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1071, "FileHash-SHA1": 545, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "CVE": 8 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1c989df5416bd0ff3d38", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "", "modified": "2023-11-14T17:01:45.019000", "created": "2023-10-30T03:01:44.846000", "tags": [ "whois record", "historical ssl", "ssl certificate", "communicating", "referrer", "united", "mail spammer", "detection list", "ip address", "blacklist", "possiblecerber", "outlook", "covid19", "artemis", "unsafe", "cisco umbrella", "site", "safe site", "phishing site", "malicious site", "malware", "malware site", "alexa top", "million", "phishingms", "exploit", "live", "blacklist https", "javascript", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "p3p cp", "pragma", "whois whois", "contacted", "threat network", "pe resource", "uatrue url", "typepv", "probe", "execution", "core", "emotet", "remcos", "nokoyawa", "asyncrat", "heur", "anonymizer", "firehol", "trojanx", "agent", "riskware", "trojan", "binder", "small", "downloader", "hupigon", "crypt", "cobalt strike", "union", "team", "agent tesla", "malicious", "fakealert", "dbatloader", "stealer", "nanocore rat", "formbook", "dropper", "dridex", "hawkeye", "netwire", "download", "opencandy", "bladabindi", "phishing", "bank", "alexa", "trojanspy", "maltiverse", "uatrue", "processorx86", "langen", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "injected", "mitre", "attack", "cybercrime", "Suspicious.Save", "dns server", "scanning ip's", "Backdoor.Remcos", "Threats200220200050", "IOC_19052020", "behaves like emotet" ], "references": [ "https://login.live.com/oauth20_remoteconnect.srf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "HawkEye Keylogger", "display_name": "HawkEye Keylogger", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Application.Generic", "display_name": "Application.Generic", "target": null }, { "id": "Backdoor.RemoteManipulator", "display_name": "Backdoor.RemoteManipulator", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "XOR.DDoS", "display_name": "XOR.DDoS", "target": null }, { "id": "Backdoor.Remcos", "display_name": "Backdoor.Remcos", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "652c33c45c1f1566c4b8c6a2", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1071, "FileHash-SHA1": 545, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "CVE": 8 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "931 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.snapacc.com/features", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.snapacc.com/features", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780471734.168481 }