{ "type": "URL", "indicator": "https://www.vmray.com/analyses/76afc4a7ef10/report/overview.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.vmray.com/analyses/76afc4a7ef10/report/overview.html", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4050337949, "indicator": "https://www.vmray.com/analyses/76afc4a7ef10/report/overview.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "685ede1cff1cc6d965d73b4f", "name": "doc document-macro.doc", "description": "https://www.virustotal.com/gui/file/02dad9ca41f47e219a369cd5b8998ae5eb32f214105c3af01fd0cda6218f33a6/details", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T18:08:28.925000", "tags": [ "temp", "matches rule", "rule set", "github", "user", "nextron", "snort", "number", "cus subject", "stwa lredmond", "malware", "powershell", "date", "critical", "path", "info", "ping", "download", "trustedpath uac", "bypass pattern", "uac bypass", "roth", "system32", "created", "vadim khrykov", "threatintel", "cyb3reng", "rule", "child process", "word", "excel", "powerpoint", "publisher", "visio", "markus neis", "homenet", "externalnet", "httpports", "watson error", "stageone", "released", "bartblaze", "office version" ], "references": [ "02dad9ca41f47e219a369cd5b8998ae5eb32f214105c3af01fd0cda6218f33a6.doc document-macro.doc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 56, "FileHash-SHA1": 11, "FileHash-SHA256": 89, "URL": 96, "domain": 4, "hostname": 149, "YARA": 1 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67dd90a215aee67faa59f106", "name": "Rilide: An Information Stealing Browser Extension", "description": "Rilide is an information stealer masquerading as a browser extension that is designed to steal personal information, log passwords and steal credentials for cryptocurrency wallets, according to research published by CyberChef.", "modified": "2025-04-20T16:04:48.699000", "created": "2025-03-21T16:15:30.763000", "tags": [ "threat intelligence", "malware", "rilide", "powershell", "figure", "google drive", "vmray", "bitcoin address", "iocs", "cyberchef", "strong", "learn", "twitter", "april", "august", "dropper", "virustotal", "facebook", "restrict" ], "references": [ "https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rilide", "display_name": "Rilide", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arringtont", "id": "6086", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_6086/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 14, "domain": 17, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 104, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "02dad9ca41f47e219a369cd5b8998ae5eb32f214105c3af01fd0cda6218f33a6.doc document-macro.doc", "https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Rilide" ], "industries": [], "unique_indicators": 466 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/vmray.com", "whois": "http://whois.domaintools.com/vmray.com", "domain": "vmray.com", "hostname": "www.vmray.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "685ede1cff1cc6d965d73b4f", "name": "doc document-macro.doc", "description": "https://www.virustotal.com/gui/file/02dad9ca41f47e219a369cd5b8998ae5eb32f214105c3af01fd0cda6218f33a6/details", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T18:08:28.925000", "tags": [ "temp", "matches rule", "rule set", "github", "user", "nextron", "snort", "number", "cus subject", "stwa lredmond", "malware", "powershell", "date", "critical", "path", "info", "ping", "download", "trustedpath uac", "bypass pattern", "uac bypass", "roth", "system32", "created", "vadim khrykov", "threatintel", "cyb3reng", "rule", "child process", "word", "excel", "powerpoint", "publisher", "visio", "markus neis", "homenet", "externalnet", "httpports", "watson error", "stageone", "released", "bartblaze", "office version" ], "references": [ "02dad9ca41f47e219a369cd5b8998ae5eb32f214105c3af01fd0cda6218f33a6.doc document-macro.doc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 56, "FileHash-SHA1": 11, "FileHash-SHA256": 89, "URL": 96, "domain": 4, "hostname": 149, "YARA": 1 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67dd90a215aee67faa59f106", "name": "Rilide: An Information Stealing Browser Extension", "description": "Rilide is an information stealer masquerading as a browser extension that is designed to steal personal information, log passwords and steal credentials for cryptocurrency wallets, according to research published by CyberChef.", "modified": "2025-04-20T16:04:48.699000", "created": "2025-03-21T16:15:30.763000", "tags": [ "threat intelligence", "malware", "rilide", "powershell", "figure", "google drive", "vmray", "bitcoin address", "iocs", "cyberchef", "strong", "learn", "twitter", "april", "august", "dropper", "virustotal", "facebook", "restrict" ], "references": [ "https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rilide", "display_name": "Rilide", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arringtont", "id": "6086", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_6086/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 14, "domain": 17, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 104, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.vmray.com/analyses/76afc4a7ef10/report/overview.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.vmray.com/analyses/76afc4a7ef10/report/overview.html", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780320357.4666638 }