{ "type": "URL", "indicator": "https://www.ubinary.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.ubinary.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3757393458, "indicator": "https://www.ubinary.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69e1d9cd805ecfc463bed935", "name": "BlackNet RAT clone credit octoseek", "description": "", "modified": "2026-04-18T00:51:09.427000", "created": "2026-04-17T06:57:17.378000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 781, "FileHash-SHA256": 3085, "domain": 528, "URL": 3130, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8508, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d5d33d16ab7837e23bc01", "name": "howmanyofme.com - Packed | Palantir", "description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme", "modified": "2025-09-18T23:05:18.490000", "created": "2025-07-20T21:18:43.974000", "tags": [ "united", "unknown ns", "a domains", "ip address", "search", "privacy service", "fbo registrant", "date", "entries", "how many", "destination", "port", "windows nt", "msie", "unknown", "et trojan", "poodle attack", "policy sslv3", "united kingdom", "suspicious", "copy", "virustotal", "malware", "write", "hostile", "next", "triton", "super node", "get reloaded", "x11 snf", "png image", "rgba", "post reloaded", "ascii text", "crlf line", "gnu message", "ms windows", "intel", "pe32", "host", "get babylon", "show", "babylon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7185, "domain": 706, "hostname": 1906, "email": 5, "FileHash-SHA256": 3645, "FileHash-MD5": 330, "FileHash-SHA1": 135, "CVE": 1 }, "indicator_count": 13913, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5cb329096398f3411f4", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-12-06T16:48:11.311000", "created": "2023-12-06T16:48:11.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5ba6d66424b1992092e", "name": "BlackNet RAT", "description": "", "modified": "2023-12-06T16:47:54.897000", "created": "2023-12-06T16:47:54.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5b2ff4216fe9cd82624", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-12-06T16:47:46.826000", "created": "2023-12-06T16:47:46.826000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c39523aa8a52fdb1fa1", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:38:33.405000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c66e0b02a6dde4a8b7a", "name": "BlackNet RAT", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:18.306000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c39523aa8a52fdb1fa1", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c8adc78d892cadd250a", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:54.432000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://metro-tmo.com/", "Alienvault OTX", "Data Analysis", "Hybrid Analysis" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Metro", "Quasar rat", "Alf:trojan:o97m/emotet", "Backdoor:win32/outbreak", "Trojanspy", "Mimikatz", "Irata", "Trojandownloader:o97m/bazaloader", "Virus:dos/metro", "Squirrelwaffle", "Suppobox", "Maltiverse", "Formbook", "Trojandropper:vbs/swrort", "Vidar", "Blacknet rat", "Azorult", "Backdoor:msil/bladabindi", "Alf:pua:win32/fusioncore", "Backdoor:win32/zbot", "Ramnit", "Trojan:win32/installcore", "Artemis", "Beach research", "Pony - s0453", "Cobalt strike - s0154", "Alf:pua:win32/opencandy", "Virut" ], "industries": [ "Food", "Entertainment", "Gas" ], "unique_indicators": 22218 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ubinary.com", "whois": "http://whois.domaintools.com/ubinary.com", "domain": "ubinary.com", "hostname": "www.ubinary.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69e1d9cd805ecfc463bed935", "name": "BlackNet RAT clone credit octoseek", "description": "", "modified": "2026-04-18T00:51:09.427000", "created": "2026-04-17T06:57:17.378000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 781, "FileHash-SHA256": 3085, "domain": 528, "URL": 3130, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8508, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d5d33d16ab7837e23bc01", "name": "howmanyofme.com - Packed | Palantir", "description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme", "modified": "2025-09-18T23:05:18.490000", "created": "2025-07-20T21:18:43.974000", "tags": [ "united", "unknown ns", "a domains", "ip address", "search", "privacy service", "fbo registrant", "date", "entries", "how many", "destination", "port", "windows nt", "msie", "unknown", "et trojan", "poodle attack", "policy sslv3", "united kingdom", "suspicious", "copy", "virustotal", "malware", "write", "hostile", "next", "triton", "super node", "get reloaded", "x11 snf", "png image", "rgba", "post reloaded", "ascii text", "crlf line", "gnu message", "ms windows", "intel", "pe32", "host", "get babylon", "show", "babylon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7185, "domain": 706, "hostname": 1906, "email": 5, "FileHash-SHA256": 3645, "FileHash-MD5": 330, "FileHash-SHA1": 135, "CVE": 1 }, "indicator_count": 13913, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5cb329096398f3411f4", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-12-06T16:48:11.311000", "created": "2023-12-06T16:48:11.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5ba6d66424b1992092e", "name": "BlackNet RAT", "description": "", "modified": "2023-12-06T16:47:54.897000", "created": "2023-12-06T16:47:54.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5b2ff4216fe9cd82624", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-12-06T16:47:46.826000", "created": "2023-12-06T16:47:46.826000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 3085, "hostname": 780, "domain": 527, "FileHash-MD5": 610, "FileHash-SHA1": 368, "URL": 3128 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c39523aa8a52fdb1fa1", "name": "Metro T-Mobile Command & Control. Cyber Threat", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:38:33.405000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c66e0b02a6dde4a8b7a", "name": "BlackNet RAT", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:18.306000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c39523aa8a52fdb1fa1", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650d0c8adc78d892cadd250a", "name": "Virus:DOS/Metro", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-22T03:39:54.432000", "tags": [ "united", "heur", "bank", "covid19 scam", "anonymizer", "malicious site", "telefonica peru", "cyber threat", "proxy", "malware", "phishing", "zbot", "suppobox", "team", "trojanx", "service", "facebook", "win64", "trojan", "artemis", "cisco umbrella", "site", "alexa top", "million", "safe site", "engineering", "download", "microsoft", "generic", "union", "bazaloader", "media", "runescape", "blacklist https", "generic malware", "metro", "tmobile", "on us", "mls season", "home internet", "shop", "autopay", "free", "metro store", "limit", "pass", "close", "galaxy", "easy", "back", "stream", "find", "twitter", "intnavfnav", "conditions", "service url", "search live", "api blog", "docs pricing", "september", "instagram url", "facebook url", "value", "variables", "visitor object", "alpine object", "cookies", "taq boolean", "get h2", "kb script", "b xhr", "post h2", "frame", "b image", "kb image", "redirect chain", "frame c0bc", "kb stylesheet", "covid19", "phishing site", "malicious", "cve201711882", "cobalt strike", "squirrelwaffle", "pony", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "bambernek", "alexa", "unsafe", "opencandy", "downldr", "irata", "dbatloader", "vidar", "outbreak", "downloader", "blocker", "ransom", "autoit", "bladabindi", "emotet", "blacknet rat", "stealer", "presenoker", "fusioncore", "cleaner", "wacatac", "riskware", "coinminer", "xrat", "swrort", "installcore", "trojanspy", "mbydkqdhtu0h", "pbiptbmvd0k4", "pbzpdldtg", "detection list", "glelexoputyh", "linkid252669", "s2okorbdpt2x", "el9km", "mtap2vnnnpj", "blacklist", "x22x22", "x22scriptx22", "x22dntx22", "date", "u002d2", "linkcode u002d", "srclang", "urllang", "srcurl", "qzid", "pattern match", "intnavtnav", "q0o0mahttp", "login", "windows nt", "bad traffic", "et info", "tls handshake", "failure", "http traffic", "http", "suricata alerts", "event category", "description sid", "external", "logo", "av detection", "default browser", "guest system", "professional", "general", "file", "get fwlink", "geckohost", "suidm", "edgev1", "srchdafnoform", "srchuidv2", "edgesf1", "malware site", "agent", "exploit", "mimikatz", "quasar rat", "iframe", "beach research", "sgeneric", "static engine", "umbrella", "malware service", "exploit source", "scanning host", "Command and Control", "malicious url", "team malicious", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "bad traffic" ], "references": [ "https://metro-tmo.com/", "Hybrid Analysis", "Alienvault OTX", "Data Analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "South Africa", "Japan" ], "malware_families": [ { "id": "TrojanDownloader:O97M/BazaLoader", "display_name": "TrojanDownloader:O97M/BazaLoader", "target": "/malware/TrojanDownloader:O97M/BazaLoader" }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "TrojanDropper:VBS/Swrort", "display_name": "TrojanDropper:VBS/Swrort", "target": "/malware/TrojanDropper:VBS/Swrort" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Virus:DOS/Metro", "display_name": "Virus:DOS/Metro", "target": "/malware/Virus:DOS/Metro" }, { "id": "Metro", "display_name": "Metro", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Backdoor:Win32/Outbreak", "display_name": "Backdoor:Win32/Outbreak", "target": "/malware/Backdoor:Win32/Outbreak" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "IRATA", "display_name": "IRATA", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:Trojan:O97M/Emotet", "display_name": "ALF:Trojan:O97M/Emotet", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Food", "Gas", "Entertainment" ], "TLP": "white", "cloned_from": "650d0c66e0b02a6dde4a8b7a", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 780, "FileHash-SHA256": 3085, "domain": 527, "URL": 3128, "CVE": 6, "FileHash-MD5": 610, "FileHash-SHA1": 368 }, "indicator_count": 8504, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.ubinary.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.ubinary.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776650961.6542058 }