{ "type": "URL", "indicator": "https://www.trelvanokash.cfd/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.trelvanokash.cfd/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4347099758, "indicator": "https://www.trelvanokash.cfd/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 19, "pulses": [ { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6b2fa376059b4216e8f", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T10:45:57.198000", "created": "2026-05-09T04:23:14.660000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1375, "hostname": 1101, "URL": 1336, "domain": 507, "email": 89, "FileHash-MD5": 1306, "FileHash-SHA1": 406, "IPv4": 268, "IPv6": 6, "CIDR": 35 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf7d974ee6628d0cfb", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:34.167000", "created": "2026-05-09T04:23:27.294000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf4862bcb87d24490f", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:33.235000", "created": "2026-05-09T04:23:27.455000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf88886c13b84136a0", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:32.377000", "created": "2026-05-09T04:23:27.808000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6b404e1f849c9993cf5", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T04:27:37.388000", "created": "2026-05-09T04:23:16.462000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 520, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bc6072aa1a00dc8b74", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T04:27:35.492000", "created": "2026-05-09T04:23:24.510000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 520, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35be85a193d62e33e048", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T06:37:13.389000", "created": "2026-05-07T06:48:30.051000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 102, "FileHash-MD5": 28, "FileHash-SHA1": 47, "FileHash-SHA256": 831, "URL": 1460, "domain": 315, "hostname": 266, "CIDR": 1, "email": 3 }, "indicator_count": 3053, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc44626e54f5973606f81e", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-08T06:36:54.282000", "created": "2026-05-07T07:50:58.758000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 6, "FileHash-SHA256": 694, "domain": 89, "hostname": 78, "IPv4": 16, "URL": 78 }, "indicator_count": 975, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35bc6924906c52c89f27", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T06:30:44.363000", "created": "2026-05-07T06:48:28.947000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 93, "FileHash-MD5": 24, "FileHash-SHA1": 43, "FileHash-SHA256": 167, "URL": 1447, "domain": 274, "hostname": 243, "CIDR": 1, "email": 3 }, "indicator_count": 2295, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd77791314336d2ce3b694", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:30.965000", "created": "2026-05-08T05:41:13.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 204, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1262, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd777910676e8bf0b845ee", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:29.869000", "created": "2026-05-08T05:41:13.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd777a9e7f4113aeb6b47c", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:29.152000", "created": "2026-05-08T05:41:14.795000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd777b0f4e9133dee0511f", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:28.276000", "created": "2026-05-08T05:41:15.674000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35bbf5093f9bf3cd0a32", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T05:17:02.092000", "created": "2026-05-07T06:48:27.828000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 110, "FileHash-MD5": 47, "FileHash-SHA1": 85, "FileHash-SHA256": 186, "URL": 1467, "domain": 274, "hostname": 247, "CIDR": 4, "email": 14 }, "indicator_count": 2434, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc18d0e4586dfaa5fc8e5e", "name": "VirusTotal report\n for Yandex.exe", "description": "[full report on the Yandex.exe malware, which was found on a Windows 11 operating system in the early hours of the morning, has been published by the University of South Africa.] Client changes iphone browser to Bing yesterday.", "modified": "2026-05-07T04:55:20.865000", "created": "2026-05-07T04:45:04.790000", "tags": [ "pe file", "file type", "https", "sample", "performs dns", "tls version", "creates", "urls", "ms windows", "aslr", "code", "persistence", "defense evasion", "malicious", "next", "getqueryurl412", "update with", "arguments", "info", "service", "verifymodule128", "stopservice815", "watchicufile185", "getqueryurl409", "installertype4", "windows sandbox", "calls process", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "path c", "sha1", "crc32", "win64", "accept", "shutdown", "guard", "powershell", "payload", "back", "bing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778128970&Signature=KvxEPuInqFwT1UVxhsUutlnt3Dx3pU%2FZPwCzlabMUZ%2BszI8kfcRbaoWeF5WPYmdf%2FEJWcFuOn%2FHMXzsDaz9mzSs6e%2F31BBO%2Bzn%2Bgsu6PQlevS5%2BPJLSpQQGdvdYxWvjgQtcWfWfdxLulfLOuewCybKwivHDsIS8nxzL4eilUywa96vdRGkU%2BzsWCuRt1DQdteRL%2B4xHM9Iw1lubk48EQZuLZn3%2BHW0WbWmPcpUDlpXmqRt%2", "https://www.virustotal.com/ui/file_behaviours/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_CAPE%20Sandbox/html", "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129039&Signature=EvKpA%2FXa5Pim74y4ZyibLmu25RPaoFGwevAkAPfFbDMkvRXR3nSFuc8fVUtVm9cJPOxY5wIDwaEi%2FLJ9U9W0rvqiycITY9SGa7Vzv97CcCn6PTLJjwF2FShIZiE%2F3eg4zoFce1VJm7HNuAOkyhbu2qCGvF9aqduRhC3CpTxYAepP1kC2GZutTpWIjioblhbRHCSZ5Iz0zRjQaPTUea8mrqeQV2nFqz%2BDwKLItcpvI9yz5mZ7", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129141&Signature=CcrEA1ECv4wxj8UIdmJUnDUBSvoB167GojRL%2BfBa0mcSCEUDoTqJbuuDr0RdXoVPApAzwPy4sOskH98XfBt8CdHdW3GrxPCHjBQAPEn0vhKZPDzoZ4ABLKke%2BYz6uYY0gsF1HVfKzP5N%2FE1i5i2ufi5NAQ6HzeQLM3ynBwu6mwjG%2BrafkkgSaMV00ksubUJfq0zNgvrwUMp%2FS5gFLv66%2F%2B912bzg%2F7Qxk7HpJS3uzwjWJZ", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129187&Signature=v%2FFdZTv2ZW8gkxMEiHXNqP%2BlysqiATUfJI4Sehiwpl6WMhtq%2BVWfqpe1WfCGvm2J4C1wbISRKhmXGECw7RM0BEKhPwTclqhKJwdtjPMZg%2BKxA5cYmTKM5xgkm0nf1bODU83vDlIhg1ue2cGQhGekvFc0J22ioNQvPNRhwSROTuqvRX9M6cFyV4S2OSwaPzfj24c8GEv%2FyUkWuUsxjSENS5gMNplle9E4Z%2B18BsVsSLO0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 190, "FileHash-SHA256": 789, "URL": 274, "domain": 95, "IPv4": 161, "hostname": 299, "email": 1 }, "indicator_count": 2231, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc18cd07af71dd4c1048a1", "name": "VirusTotal report\n for Yandex.exe", "description": "[full report on the Yandex.exe malware, which was found on a Windows 11 operating system in the early hours of the morning, has been published by the University of South Africa.] Client changes iphone browser to Bing yesterday.", "modified": "2026-05-07T04:50:57.126000", "created": "2026-05-07T04:45:01.264000", "tags": [ "pe file", "file type", "https", "sample", "performs dns", "tls version", "creates", "urls", "ms windows", "aslr", "code", "persistence", "defense evasion", "malicious", "next", "getqueryurl412", "update with", "arguments", "info", "service", "verifymodule128", "stopservice815", "watchicufile185", "getqueryurl409", "installertype4", "windows sandbox", "calls process", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "path c", "sha1", "crc32", "win64", "accept", "shutdown", "guard", "powershell", "payload", "back", "bing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778128970&Signature=KvxEPuInqFwT1UVxhsUutlnt3Dx3pU%2FZPwCzlabMUZ%2BszI8kfcRbaoWeF5WPYmdf%2FEJWcFuOn%2FHMXzsDaz9mzSs6e%2F31BBO%2Bzn%2Bgsu6PQlevS5%2BPJLSpQQGdvdYxWvjgQtcWfWfdxLulfLOuewCybKwivHDsIS8nxzL4eilUywa96vdRGkU%2BzsWCuRt1DQdteRL%2B4xHM9Iw1lubk48EQZuLZn3%2BHW0WbWmPcpUDlpXmqRt%2", "https://www.virustotal.com/ui/file_behaviours/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_CAPE%20Sandbox/html", "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129039&Signature=EvKpA%2FXa5Pim74y4ZyibLmu25RPaoFGwevAkAPfFbDMkvRXR3nSFuc8fVUtVm9cJPOxY5wIDwaEi%2FLJ9U9W0rvqiycITY9SGa7Vzv97CcCn6PTLJjwF2FShIZiE%2F3eg4zoFce1VJm7HNuAOkyhbu2qCGvF9aqduRhC3CpTxYAepP1kC2GZutTpWIjioblhbRHCSZ5Iz0zRjQaPTUea8mrqeQV2nFqz%2BDwKLItcpvI9yz5mZ7", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129141&Signature=CcrEA1ECv4wxj8UIdmJUnDUBSvoB167GojRL%2BfBa0mcSCEUDoTqJbuuDr0RdXoVPApAzwPy4sOskH98XfBt8CdHdW3GrxPCHjBQAPEn0vhKZPDzoZ4ABLKke%2BYz6uYY0gsF1HVfKzP5N%2FE1i5i2ufi5NAQ6HzeQLM3ynBwu6mwjG%2BrafkkgSaMV00ksubUJfq0zNgvrwUMp%2FS5gFLv66%2F%2B912bzg%2F7Qxk7HpJS3uzwjWJZ", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129187&Signature=v%2FFdZTv2ZW8gkxMEiHXNqP%2BlysqiATUfJI4Sehiwpl6WMhtq%2BVWfqpe1WfCGvm2J4C1wbISRKhmXGECw7RM0BEKhPwTclqhKJwdtjPMZg%2BKxA5cYmTKM5xgkm0nf1bODU83vDlIhg1ue2cGQhGekvFc0J22ioNQvPNRhwSROTuqvRX9M6cFyV4S2OSwaPzfj24c8GEv%2FyUkWuUsxjSENS5gMNplle9E4Z%2B18BsVsSLO0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 189, "FileHash-SHA256": 789, "URL": 191, "domain": 74, "IPv4": 145, "hostname": 225, "email": 1 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc18ce74d03deacb8b8455", "name": "VirusTotal report\n for Yandex.exe", "description": "[full report on the Yandex.exe malware, which was found on a Windows 11 operating system in the early hours of the morning, has been published by the University of South Africa.] Client changes iphone browser to Bing yesterday.", "modified": "2026-05-07T04:50:56.098000", "created": "2026-05-07T04:45:02.466000", "tags": [ "pe file", "file type", "https", "sample", "performs dns", "tls version", "creates", "urls", "ms windows", "aslr", "code", "persistence", "defense evasion", "malicious", "next", "getqueryurl412", "update with", "arguments", "info", "service", "verifymodule128", "stopservice815", "watchicufile185", "getqueryurl409", "installertype4", "windows sandbox", "calls process", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "path c", "sha1", "crc32", "win64", "accept", "shutdown", "guard", "powershell", "payload", "back", "bing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778128970&Signature=KvxEPuInqFwT1UVxhsUutlnt3Dx3pU%2FZPwCzlabMUZ%2BszI8kfcRbaoWeF5WPYmdf%2FEJWcFuOn%2FHMXzsDaz9mzSs6e%2F31BBO%2Bzn%2Bgsu6PQlevS5%2BPJLSpQQGdvdYxWvjgQtcWfWfdxLulfLOuewCybKwivHDsIS8nxzL4eilUywa96vdRGkU%2BzsWCuRt1DQdteRL%2B4xHM9Iw1lubk48EQZuLZn3%2BHW0WbWmPcpUDlpXmqRt%2", "https://www.virustotal.com/ui/file_behaviours/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_CAPE%20Sandbox/html", "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129039&Signature=EvKpA%2FXa5Pim74y4ZyibLmu25RPaoFGwevAkAPfFbDMkvRXR3nSFuc8fVUtVm9cJPOxY5wIDwaEi%2FLJ9U9W0rvqiycITY9SGa7Vzv97CcCn6PTLJjwF2FShIZiE%2F3eg4zoFce1VJm7HNuAOkyhbu2qCGvF9aqduRhC3CpTxYAepP1kC2GZutTpWIjioblhbRHCSZ5Iz0zRjQaPTUea8mrqeQV2nFqz%2BDwKLItcpvI9yz5mZ7", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129141&Signature=CcrEA1ECv4wxj8UIdmJUnDUBSvoB167GojRL%2BfBa0mcSCEUDoTqJbuuDr0RdXoVPApAzwPy4sOskH98XfBt8CdHdW3GrxPCHjBQAPEn0vhKZPDzoZ4ABLKke%2BYz6uYY0gsF1HVfKzP5N%2FE1i5i2ufi5NAQ6HzeQLM3ynBwu6mwjG%2BrafkkgSaMV00ksubUJfq0zNgvrwUMp%2FS5gFLv66%2F%2B912bzg%2F7Qxk7HpJS3uzwjWJZ", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129187&Signature=v%2FFdZTv2ZW8gkxMEiHXNqP%2BlysqiATUfJI4Sehiwpl6WMhtq%2BVWfqpe1WfCGvm2J4C1wbISRKhmXGECw7RM0BEKhPwTclqhKJwdtjPMZg%2BKxA5cYmTKM5xgkm0nf1bODU83vDlIhg1ue2cGQhGekvFc0J22ioNQvPNRhwSROTuqvRX9M6cFyV4S2OSwaPzfj24c8GEv%2FyUkWuUsxjSENS5gMNplle9E4Z%2B18BsVsSLO0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 189, "FileHash-SHA256": 789, "URL": 191, "domain": 74, "IPv4": 145, "hostname": 225, "email": 1 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc18cf1d3c2127ee8a4c0c", "name": "VirusTotal report\n for Yandex.exe", "description": "[full report on the Yandex.exe malware, which was found on a Windows 11 operating system in the early hours of the morning, has been published by the University of South Africa.] Client changes iphone browser to Bing yesterday.", "modified": "2026-05-07T04:50:55.377000", "created": "2026-05-07T04:45:03.716000", "tags": [ "pe file", "file type", "https", "sample", "performs dns", "tls version", "creates", "urls", "ms windows", "aslr", "code", "persistence", "defense evasion", "malicious", "next", "getqueryurl412", "update with", "arguments", "info", "service", "verifymodule128", "stopservice815", "watchicufile185", "getqueryurl409", "installertype4", "windows sandbox", "calls process", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "path c", "sha1", "crc32", "win64", "accept", "shutdown", "guard", "powershell", "payload", "back", "bing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778128970&Signature=KvxEPuInqFwT1UVxhsUutlnt3Dx3pU%2FZPwCzlabMUZ%2BszI8kfcRbaoWeF5WPYmdf%2FEJWcFuOn%2FHMXzsDaz9mzSs6e%2F31BBO%2Bzn%2Bgsu6PQlevS5%2BPJLSpQQGdvdYxWvjgQtcWfWfdxLulfLOuewCybKwivHDsIS8nxzL4eilUywa96vdRGkU%2BzsWCuRt1DQdteRL%2B4xHM9Iw1lubk48EQZuLZn3%2BHW0WbWmPcpUDlpXmqRt%2", "https://www.virustotal.com/ui/file_behaviours/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_CAPE%20Sandbox/html", "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129039&Signature=EvKpA%2FXa5Pim74y4ZyibLmu25RPaoFGwevAkAPfFbDMkvRXR3nSFuc8fVUtVm9cJPOxY5wIDwaEi%2FLJ9U9W0rvqiycITY9SGa7Vzv97CcCn6PTLJjwF2FShIZiE%2F3eg4zoFce1VJm7HNuAOkyhbu2qCGvF9aqduRhC3CpTxYAepP1kC2GZutTpWIjioblhbRHCSZ5Iz0zRjQaPTUea8mrqeQV2nFqz%2BDwKLItcpvI9yz5mZ7", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129141&Signature=CcrEA1ECv4wxj8UIdmJUnDUBSvoB167GojRL%2BfBa0mcSCEUDoTqJbuuDr0RdXoVPApAzwPy4sOskH98XfBt8CdHdW3GrxPCHjBQAPEn0vhKZPDzoZ4ABLKke%2BYz6uYY0gsF1HVfKzP5N%2FE1i5i2ufi5NAQ6HzeQLM3ynBwu6mwjG%2BrafkkgSaMV00ksubUJfq0zNgvrwUMp%2FS5gFLv66%2F%2B912bzg%2F7Qxk7HpJS3uzwjWJZ", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129187&Signature=v%2FFdZTv2ZW8gkxMEiHXNqP%2BlysqiATUfJI4Sehiwpl6WMhtq%2BVWfqpe1WfCGvm2J4C1wbISRKhmXGECw7RM0BEKhPwTclqhKJwdtjPMZg%2BKxA5cYmTKM5xgkm0nf1bODU83vDlIhg1ue2cGQhGekvFc0J22ioNQvPNRhwSROTuqvRX9M6cFyV4S2OSwaPzfj24c8GEv%2FyUkWuUsxjSENS5gMNplle9E4Z%2B18BsVsSLO0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 189, "FileHash-SHA256": 789, "URL": 191, "domain": 74, "IPv4": 145, "hostname": 225, "email": 1 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778128970&Signature=KvxEPuInqFwT1UVxhsUutlnt3Dx3pU%2FZPwCzlabMUZ%2BszI8kfcRbaoWeF5WPYmdf%2FEJWcFuOn%2FHMXzsDaz9mzSs6e%2F31BBO%2Bzn%2Bgsu6PQlevS5%2BPJLSpQQGdvdYxWvjgQtcWfWfdxLulfLOuewCybKwivHDsIS8nxzL4eilUywa96vdRGkU%2BzsWCuRt1DQdteRL%2B4xHM9Iw1lubk48EQZuLZn3%2BHW0WbWmPcpUDlpXmqRt%2", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129141&Signature=CcrEA1ECv4wxj8UIdmJUnDUBSvoB167GojRL%2BfBa0mcSCEUDoTqJbuuDr0RdXoVPApAzwPy4sOskH98XfBt8CdHdW3GrxPCHjBQAPEn0vhKZPDzoZ4ABLKke%2BYz6uYY0gsF1HVfKzP5N%2FE1i5i2ufi5NAQ6HzeQLM3ynBwu6mwjG%2BrafkkgSaMV00ksubUJfq0zNgvrwUMp%2FS5gFLv66%2F%2B912bzg%2F7Qxk7HpJS3uzwjWJZ", "https://www.virustotal.com/ui/file_behaviours/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_CAPE%20Sandbox/html", "https://vtbehaviour.commondatastorage.googleapis.com/88becfbea4b9c499c5d01f64204d5114ae0112d0853f0b752262cb831e3e30be_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129039&Signature=EvKpA%2FXa5Pim74y4ZyibLmu25RPaoFGwevAkAPfFbDMkvRXR3nSFuc8fVUtVm9cJPOxY5wIDwaEi%2FLJ9U9W0rvqiycITY9SGa7Vzv97CcCn6PTLJjwF2FShIZiE%2F3eg4zoFce1VJm7HNuAOkyhbu2qCGvF9aqduRhC3CpTxYAepP1kC2GZutTpWIjioblhbRHCSZ5Iz0zRjQaPTUea8mrqeQV2nFqz%2BDwKLItcpvI9yz5mZ7", "https://vtbehaviour.commondatastorage.googleapis.com/a86b6c59331a4bec79fbbe3b2e5bad589cd60824422d2662488ff6ec7db9cb17_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778129187&Signature=v%2FFdZTv2ZW8gkxMEiHXNqP%2BlysqiATUfJI4Sehiwpl6WMhtq%2BVWfqpe1WfCGvm2J4C1wbISRKhmXGECw7RM0BEKhPwTclqhKJwdtjPMZg%2BKxA5cYmTKM5xgkm0nf1bODU83vDlIhg1ue2cGQhGekvFc0J22ioNQvPNRhwSROTuqvRX9M6cFyV4S2OSwaPzfj24c8GEv%2FyUkWuUsxjSENS5gMNplle9E4Z%2B18BsVsSLO0" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 8773 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/trelvanokash.cfd", "whois": "http://whois.domaintools.com/trelvanokash.cfd", "domain": "trelvanokash.cfd", "hostname": "www.trelvanokash.cfd" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 19, "pulses": [ { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6b2fa376059b4216e8f", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T10:45:57.198000", "created": "2026-05-09T04:23:14.660000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1375, "hostname": 1101, "URL": 1336, "domain": 507, "email": 89, "FileHash-MD5": 1306, "FileHash-SHA1": 406, "IPv4": 268, "IPv6": 6, "CIDR": 35 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf7d974ee6628d0cfb", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:34.167000", "created": "2026-05-09T04:23:27.294000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf4862bcb87d24490f", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:33.235000", "created": "2026-05-09T04:23:27.455000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf88886c13b84136a0", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:32.377000", "created": "2026-05-09T04:23:27.808000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6b404e1f849c9993cf5", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T04:27:37.388000", "created": "2026-05-09T04:23:16.462000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 520, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bc6072aa1a00dc8b74", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T04:27:35.492000", "created": "2026-05-09T04:23:24.510000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 520, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35be85a193d62e33e048", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T06:37:13.389000", "created": "2026-05-07T06:48:30.051000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 102, "FileHash-MD5": 28, "FileHash-SHA1": 47, "FileHash-SHA256": 831, "URL": 1460, "domain": 315, "hostname": 266, "CIDR": 1, "email": 3 }, "indicator_count": 3053, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc44626e54f5973606f81e", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-08T06:36:54.282000", "created": "2026-05-07T07:50:58.758000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 6, "FileHash-SHA256": 694, "domain": 89, "hostname": 78, "IPv4": 16, "URL": 78 }, "indicator_count": 975, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc35bc6924906c52c89f27", "name": "CAPE Sandbox- LOTA- Living off the Admin", "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP 656 DNS 702 IP 1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]", "modified": "2026-05-08T06:30:44.363000", "created": "2026-05-07T06:48:28.947000", "tags": [ "cloudflare", "city", "san francisco", "rnocname", "orgid", "rtechhandle", "net104", "net1040000", "rtechemail", "rabusehandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 93, "FileHash-MD5": 24, "FileHash-SHA1": 43, "FileHash-SHA256": 167, "URL": 1447, "domain": 274, "hostname": 243, "CIDR": 1, "email": 3 }, "indicator_count": 2295, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.trelvanokash.cfd/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.trelvanokash.cfd/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780235634.700774 }