{ "type": "URL", "indicator": "https://www.thawte.com/repository0", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.thawte.com/repository0", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #882", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain thawte.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain thawte.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2241372059, "indicator": "https://www.thawte.com/repository0", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 469, "hostname": 582, "domain": 62, "email": 3, "CVE": 6, "JA3": 1, "IPv4": 2 }, "indicator_count": 2680, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a07250fb9562ea208d26946", "name": "Credit *Q.Vashti* Clone [\u2022 Virus Total | P.S Banker | Attacked/Blocked \u2022] ", "description": "", "modified": "2026-05-16T05:47:36.553000", "created": "2026-05-15T13:52:15.176000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": "69dc04c12782d2d76c111a93", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2, "IPv4": 1 }, "indicator_count": 4999, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac967057c13623229fa4", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-15T10:49:24.586000", "created": "2026-05-14T11:05:58.600000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 245, "FileHash-SHA1": 109, "FileHash-SHA256": 224, "URL": 269, "domain": 51, "email": 3, "hostname": 189, "Mutex": 4 }, "indicator_count": 1130, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac72028bf99f635f0ded", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:05:22.932000", "created": "2026-05-14T11:05:22.932000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac2c27730f972e8d9474", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:04:12.425000", "created": "2026-05-14T11:04:12.425000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-05-12T20:40:08.152000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2 }, "indicator_count": 4998, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "https://clockoutbox.es/password", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "http://cr-malware.testpanw.com/url", "https://securityaffairs.com/144927/cyber-crime~#", "this.target", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "IDS Detections: Query to a *.pw domain - Likely Hostile", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "114.114.114.114 = Tulach", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "authrootstl.cab common file extension", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "@GRAMMERSoft" ], "malware_families": [ "Worm:win32/autorun!atmn", "Alf:trojan:win64/psbanker", "Tulach", "Trojan:o97m/madeba.a!det" ], "industries": [], "unique_indicators": 8143 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/thawte.com", "whois": "http://whois.domaintools.com/thawte.com", "domain": "thawte.com", "hostname": "www.thawte.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 469, "hostname": 582, "domain": 62, "email": 3, "CVE": 6, "JA3": 1, "IPv4": 2 }, "indicator_count": 2680, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a07250fb9562ea208d26946", "name": "Credit *Q.Vashti* Clone [\u2022 Virus Total | P.S Banker | Attacked/Blocked \u2022] ", "description": "", "modified": "2026-05-16T05:47:36.553000", "created": "2026-05-15T13:52:15.176000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": "69dc04c12782d2d76c111a93", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2, "IPv4": 1 }, "indicator_count": 4999, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac967057c13623229fa4", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-15T10:49:24.586000", "created": "2026-05-14T11:05:58.600000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 245, "FileHash-SHA1": 109, "FileHash-SHA256": 224, "URL": 269, "domain": 51, "email": 3, "hostname": 189, "Mutex": 4 }, "indicator_count": 1130, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac72028bf99f635f0ded", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:05:22.932000", "created": "2026-05-14T11:05:22.932000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac2c27730f972e8d9474", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:04:12.425000", "created": "2026-05-14T11:04:12.425000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-05-12T20:40:08.152000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2 }, "indicator_count": 4998, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.thawte.com/repository0", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.thawte.com/repository0", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780206639.9012725 }