{ "type": "Domain", "indicator": "input.name", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/input.name", "alexa": "http://www.alexa.com/siteinfo/input.name", "indicator": "input.name", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2811798853, "indicator": "input.name", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69dde8e5a8942bd5ac1fbcee", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:37.635000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "URL": 58, "domain": 29, "hostname": 24, "YARA": 1, "FileHash-MD5": 2, "FileHash-SHA256": 2 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dde8e61e9d84a49e7404e9", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.096000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "URL": 206, "domain": 96, "hostname": 107 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dde8e68ac7a2840b6bdd2b", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.474000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 56, "domain": 27, "hostname": 23 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dde8e68ac7a2840b6bdd2c", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.854000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 55, "domain": 27, "hostname": 23 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fae1934f6e33a4ccf7541f", "name": "Habo Analysis System + My own Iocs - Dropped Spybot Extraction with Invalid X[RAR] Cert.", "description": "Certificate Stuffing & Root Exploitation- This binary employs a high-level Certificate Grafting technique. The threat actor has manually appended a chain of X509 certificates to the file's overlay to manipulate the host's trust store.The Microsoft Anchor: The inclusion of the Microsoft Code Verification Root (Serial: 610C1206...) is a strategic TTP. By pinning a defunct Safer Networking Ltd. certificate to a Microsoft root, the binary aims to exploit Windows Authenticode logic which may default to \"Trusted\" if the root is recognized, regardless of leaf expiration.Signature Status: Invalid/Not Signed. Despite the 22MB of certificate metadata, the Authentihash does not match. The certificates are static artifacts in the overlay, not functional cryptographic signatures.2. Hardware-Level Evasion (RDTSC)The sample contains Direct CPU Clock Access (RDTSC) instructions. This is a non-standard behavior for legitimate installers and is used for Anti-Analysis (T1497.001): See References for more information.", "modified": "2026-05-06T08:11:11.834000", "created": "2026-05-06T06:37:07.013000", "tags": [ "technology", "subdomains", "date", "domain status", "registrar abuse", "handle", "dnssec", "registrar", "record type", "ttl value", "rdap", "rdap database", "entity", "code", "contact", "iana registrar", "markmonitor", "domain name", "registrant city", "us registrant", "email", "registrant fax", "server", "iana id", "contact phone", "registrar url", "registrar whois", "search", "filesspybot", "detail info", "tickcount", "text", "classname", "processid", "threadid", "startaddress", "parameter", "window", "behaviour", "spybot", "class", "shell", "find", "serial number", "verisign time", "stamping", "ca valid", "from", "code signing", "algorithm", "thumbprint", "signer", "ca name", "verisign class", "symantec time", "root valid", "neutral", "ascii text", "russian neutral", "data rtdialog", "chromium" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 75, "FileHash-SHA256": 342, "IPv4": 45, "domain": 14, "hostname": 102, "email": 3, "URL": 51 }, "indicator_count": 731, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc8243d6e7b1edbf302f20", "name": "CAPE Sandbox", "description": "8841e3e96c8cceffe1e1845c120b54eb\nSHA-1\n16e14b0380b06baa2b8598061e169e104c51889f\nSHA-256\nfb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4\nVhash\n89763c2de97baa7cc2c12f6e65e2749d", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:26:11.619000", "tags": [ "script", "javascript", "google tag", "manager", "date", "meta", "doctype html", "gb22bz6q819", "cpdatalayerga4", "gtmk73c5ps", "window", "trace", "error", "title", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 11, "domain": 5, "hostname": 58 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc82447d69c56d976f8d49", "name": "CAPE Sandbox", "description": "8841e3e96c8cceffe1e1845c120b54eb\nSHA-1\n16e14b0380b06baa2b8598061e169e104c51889f\nSHA-256\nfb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4\nVhash\n89763c2de97baa7cc2c12f6e65e2749d", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:26:12.968000", "tags": [ "script", "javascript", "google tag", "manager", "date", "meta", "doctype html", "gb22bz6q819", "cpdatalayerga4", "gtmk73c5ps", "window", "trace", "error", "title", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 11, "domain": 5, "hostname": 58 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5400b703689bcc63312e", "name": "CAPE Sandbox", "description": "Google TagManager for GA4 a search engine for the Google Chrome operating system - is available on the web at 23:00 GMT on Wednesday, 2 February 2017, and here is the full report.>>pretext", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:08:48.290000", "tags": [ "script", "javascript", "google tag", "manager", "home", "title", "doctype html", "g2tc34beqq1", "date", "cpdatalayerga4", "window", "trace", "error", "meta", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998732&Signature=abklSr27zG%2F95pmGLD5i5gIecIdJzpeybqDkc8ZQ6eAGLLhJYcwfLaMfxS9UdnDoOI%2Fsik9D4jzjSu183OS1xShSpLV39hNHSjeQKdZKFU%2BdfMeBXugDh4vaioMbECTIZIsBAjAF2exzqw%2BqiLoOV916%2B3gYI7g%2B5ps4ETYxXzNUW1MgfE5NCmJk2yyrNpwU%2BzXh80Y2yFZBuXfSma7kqffjSU4etSbDyCcWEcOXweo5aai0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 10, "domain": 5, "hostname": 58 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c0b65eb3a9d8321a855397", "name": "CAPE Sandbox", "description": "Google has released a full report on the performance of its artificial intelligence platform, GA4, using its own tag manager for the Google Tag Manager, which can be accessed via the web browser or app.", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T03:41:18.381000", "tags": [ "script", "javascript", "google tag", "manager", "home", "title", "doctype html", "g2tc34beqq1", "date", "cpdatalayerga4", "window", "trace", "error", "meta", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/8e5997a654929867a07dcf89077a7b571bffd57ea59834ec3bdcae6304f60f49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774237536&Signature=rmgld9x39huQoZokOZEU%2Fom7Zo3DZwxPyIY6VvGpkYwIXdEo2IGYGgiA%2F75LOe2QmdJ0Q4uZDy5LsX0t2jiM%2B4WePTrJ6%2BSK2FgeUJsRq7GXDErhYh8wZVEfv3n57blHELTkUPnxbVaSqHb8%2FcbwlU9ox1C%2F%2BQRJDqtmVfG6OnC6O0MyYgrcJfKe2tC4LRS5ETSkgdA3Tm9aIwBruUNMzGQaW%2F7dQkoAEEofGoeseUrell" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 20, "domain": 9, "hostname": 68 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aa842cef967c844adef1de", "name": "CAPE Sandbox part 2 - see part 1", "description": "heartbreaking", "modified": "2026-04-05T11:04:28.804000", "created": "2026-03-06T07:37:16.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3905, "FileHash-SHA1": 3515, "FileHash-SHA256": 8002, "URL": 982, "hostname": 2532, "domain": 164, "email": 1 }, "indicator_count": 19101, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a90f69274935b1a5d045ae", "name": "Malware", "description": "A full report on the Cuckoo malware has been published by researchers at the University of California, Los Angeles, and by the European Commission (ECB) in the UK, with the following:", "modified": "2026-04-04T05:18:12.440000", "created": "2026-03-05T05:06:49.844000", "tags": [ "files c", "state c", "nel c", "data", "parent pid", "full path", "command line", "registry keys", "datacrashpad", "datadefault c", "shutdown", "guard", "back" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 232, "FileHash-SHA1": 248, "FileHash-SHA256": 3023, "domain": 13, "hostname": 171, "URL": 12 }, "indicator_count": 3699, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "58 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708bae2f0c59d34f050b9e", "name": "Malware and bots", "description": "", "modified": "2023-12-06T14:56:46.779000", "created": "2023-12-06T14:56:46.779000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 168, "hostname": 427, "domain": 214, "URL": 1188, "FileHash-MD5": 1, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 2000, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625614852d13a468fd3f7ef9", "name": "Malware and bots", "description": "function se(t,e,n, r, n; if you want to know what type of document you are, you can use the new RegExp(M) to set it.", "modified": "2022-05-12T00:04:24.089000", "created": "2022-04-13T00:08:37.870000", "tags": [ "bygmo", "gmohd", "dx gmo", "nftadam", "iosandroid gmo", "csr sdgs", "english", "4444 gmo2020417", "developers gmo", "devsecopsthon", "tech", "font awesome", "free", "license", "cc by", "sil ofl", "code", "mit license", "brands", "fliph", "google", "import", "acbac1", "typeemail", "2deg", "1deg", "4deg", "css3", "animation cheat", "sheet", "justin aguilar", "questions", "slideexpandup", "expandup", "gradienttype0", "false", "copyright", "twitter", "f56505", "font", "font path", "woff", "truetype", "fontawesome", "unicode private", "tbody", "tfoot", "thead", "span", "multiple", "type", "href", "input", "halflings", "gradienttype1", "please", "function", "param", "method", "value", "target", "null", "array", "validator", "select", "checkbox", "date", "body", "error", "form", "meta", "class", "regexp", "typeof b", "width", "pseudo", "child", "sufeffxa0", "accept", "20px", "24px", "45deg", "typesubmit", "typenumber", "helvetica", "timelimit", "dialog", "content", "callback", "bodynoscroll", "click", "html", "confirm", "notice", "typeof e", "typeof t", "attr", "js foundation", "typeof module" ], "references": [ "https://c81e728d9d4c2f636f067f89cc14862c.com/static_new/js/jquery.min.js", "https://c81e728d9d4c2f636f067f89cc14862c.com/static_new/js/dialog.min.js", "https://c81e728d9d4c2f636f067f89cc14862c.com/static_new/js/common.js", "https://c81e728d9d4c2f636f067f89cc14862c.com/static_new/css/public.css", "xfe-URL-c81e728d9d4c2f636f067f89cc14862c.com-stix2-2.1-export.json", "https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js", "http://downloads.mailchimp.com/js/jquery.form-n-validate.js", "http://imhrzluowdso.gq/i/css/bootstrap.css", "http://imhrzluowdso.gq/i/css/font-awesome.css", "http://imhrzluowdso.gq/i/css/bootstrap-theme.css", "http://imhrzluowdso.gq/i/css/animations.css", "http://imhrzluowdso.gq/i/css/style.css", "xfe-URL-imhrzluowdso.gq-stix2-2.1-export.json", "https://use.fontawesome.com/releases/v5.0.6/css/all.css" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1188, "domain": 214, "hostname": 427, "FileHash-SHA256": 168, "FileHash-MD5": 1, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 2000, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "xfe-URL-imhrzluowdso.gq-stix2-2.1-export.json", "http://downloads.mailchimp.com/js/jquery.form-n-validate.js", "https://c81e728d9d4c2f636f067f89cc14862c.com/static_new/js/jquery.min.js", "xfe-URL-c81e728d9d4c2f636f067f89cc14862c.com-stix2-2.1-export.json", "https://use.fontawesome.com/releases/v5.0.6/css/all.css", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "http://imhrzluowdso.gq/i/css/font-awesome.css", "https://c81e728d9d4c2f636f067f89cc14862c.com/static_new/css/public.css", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998732&Signature=abklSr27zG%2F95pmGLD5i5gIecIdJzpeybqDkc8ZQ6eAGLLhJYcwfLaMfxS9UdnDoOI%2Fsik9D4jzjSu183OS1xShSpLV39hNHSjeQKdZKFU%2BdfMeBXugDh4vaioMbECTIZIsBAjAF2exzqw%2BqiLoOV916%2B3gYI7g%2B5ps4ETYxXzNUW1MgfE5NCmJk2yyrNpwU%2BzXh80Y2yFZBuXfSma7kqffjSU4etSbDyCcWEcOXweo5aai0", "https://c81e728d9d4c2f636f067f89cc14862c.com/static_new/js/dialog.min.js", "https://vtbehaviour.commondatastorage.googleapis.com/8e5997a654929867a07dcf89077a7b571bffd57ea59834ec3bdcae6304f60f49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774237536&Signature=rmgld9x39huQoZokOZEU%2Fom7Zo3DZwxPyIY6VvGpkYwIXdEo2IGYGgiA%2F75LOe2QmdJ0Q4uZDy5LsX0t2jiM%2B4WePTrJ6%2BSK2FgeUJsRq7GXDErhYh8wZVEfv3n57blHELTkUPnxbVaSqHb8%2FcbwlU9ox1C%2F%2BQRJDqtmVfG6OnC6O0MyYgrcJfKe2tC4LRS5ETSkgdA3Tm9aIwBruUNMzGQaW%2F7dQkoAEEofGoeseUrell", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "http://imhrzluowdso.gq/i/css/bootstrap.css", "http://imhrzluowdso.gq/i/css/animations.css", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp", "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "https://c81e728d9d4c2f636f067f89cc14862c.com/static_new/js/common.js", "https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ", "http://imhrzluowdso.gq/i/css/style.css", "http://imhrzluowdso.gq/i/css/bootstrap-theme.css", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69dde8e5a8942bd5ac1fbcee", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:37.635000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "URL": 58, "domain": 29, "hostname": 24, "YARA": 1, "FileHash-MD5": 2, "FileHash-SHA256": 2 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dde8e61e9d84a49e7404e9", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.096000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "URL": 206, "domain": 96, "hostname": 107 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dde8e68ac7a2840b6bdd2b", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.474000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 56, "domain": 27, "hostname": 23 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dde8e68ac7a2840b6bdd2c", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.854000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 55, "domain": 27, "hostname": 23 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fae1934f6e33a4ccf7541f", "name": "Habo Analysis System + My own Iocs - Dropped Spybot Extraction with Invalid X[RAR] Cert.", "description": "Certificate Stuffing & Root Exploitation- This binary employs a high-level Certificate Grafting technique. The threat actor has manually appended a chain of X509 certificates to the file's overlay to manipulate the host's trust store.The Microsoft Anchor: The inclusion of the Microsoft Code Verification Root (Serial: 610C1206...) is a strategic TTP. By pinning a defunct Safer Networking Ltd. certificate to a Microsoft root, the binary aims to exploit Windows Authenticode logic which may default to \"Trusted\" if the root is recognized, regardless of leaf expiration.Signature Status: Invalid/Not Signed. Despite the 22MB of certificate metadata, the Authentihash does not match. The certificates are static artifacts in the overlay, not functional cryptographic signatures.2. Hardware-Level Evasion (RDTSC)The sample contains Direct CPU Clock Access (RDTSC) instructions. This is a non-standard behavior for legitimate installers and is used for Anti-Analysis (T1497.001): See References for more information.", "modified": "2026-05-06T08:11:11.834000", "created": "2026-05-06T06:37:07.013000", "tags": [ "technology", "subdomains", "date", "domain status", "registrar abuse", "handle", "dnssec", "registrar", "record type", "ttl value", "rdap", "rdap database", "entity", "code", "contact", "iana registrar", "markmonitor", "domain name", "registrant city", "us registrant", "email", "registrant fax", "server", "iana id", "contact phone", "registrar url", "registrar whois", "search", "filesspybot", "detail info", "tickcount", "text", "classname", "processid", "threadid", "startaddress", "parameter", "window", "behaviour", "spybot", "class", "shell", "find", "serial number", "verisign time", "stamping", "ca valid", "from", "code signing", "algorithm", "thumbprint", "signer", "ca name", "verisign class", "symantec time", "root valid", "neutral", "ascii text", "russian neutral", "data rtdialog", "chromium" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 75, "FileHash-SHA256": 342, "IPv4": 45, "domain": 14, "hostname": 102, "email": 3, "URL": 51 }, "indicator_count": 731, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc8243d6e7b1edbf302f20", "name": "CAPE Sandbox", "description": "8841e3e96c8cceffe1e1845c120b54eb\nSHA-1\n16e14b0380b06baa2b8598061e169e104c51889f\nSHA-256\nfb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4\nVhash\n89763c2de97baa7cc2c12f6e65e2749d", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:26:11.619000", "tags": [ "script", "javascript", "google tag", "manager", "date", "meta", "doctype html", "gb22bz6q819", "cpdatalayerga4", "gtmk73c5ps", "window", "trace", "error", "title", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 11, "domain": 5, "hostname": 58 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc82447d69c56d976f8d49", "name": "CAPE Sandbox", "description": "8841e3e96c8cceffe1e1845c120b54eb\nSHA-1\n16e14b0380b06baa2b8598061e169e104c51889f\nSHA-256\nfb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4\nVhash\n89763c2de97baa7cc2c12f6e65e2749d", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:26:12.968000", "tags": [ "script", "javascript", "google tag", "manager", "date", "meta", "doctype html", "gb22bz6q819", "cpdatalayerga4", "gtmk73c5ps", "window", "trace", "error", "title", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 11, "domain": 5, "hostname": 58 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5400b703689bcc63312e", "name": "CAPE Sandbox", "description": "Google TagManager for GA4 a search engine for the Google Chrome operating system - is available on the web at 23:00 GMT on Wednesday, 2 February 2017, and here is the full report.>>pretext", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:08:48.290000", "tags": [ "script", "javascript", "google tag", "manager", "home", "title", "doctype html", "g2tc34beqq1", "date", "cpdatalayerga4", "window", "trace", "error", "meta", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998732&Signature=abklSr27zG%2F95pmGLD5i5gIecIdJzpeybqDkc8ZQ6eAGLLhJYcwfLaMfxS9UdnDoOI%2Fsik9D4jzjSu183OS1xShSpLV39hNHSjeQKdZKFU%2BdfMeBXugDh4vaioMbECTIZIsBAjAF2exzqw%2BqiLoOV916%2B3gYI7g%2B5ps4ETYxXzNUW1MgfE5NCmJk2yyrNpwU%2BzXh80Y2yFZBuXfSma7kqffjSU4etSbDyCcWEcOXweo5aai0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 10, "domain": 5, "hostname": 58 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c0b65eb3a9d8321a855397", "name": "CAPE Sandbox", "description": "Google has released a full report on the performance of its artificial intelligence platform, GA4, using its own tag manager for the Google Tag Manager, which can be accessed via the web browser or app.", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T03:41:18.381000", "tags": [ "script", "javascript", "google tag", "manager", "home", "title", "doctype html", "g2tc34beqq1", "date", "cpdatalayerga4", "window", "trace", "error", "meta", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/8e5997a654929867a07dcf89077a7b571bffd57ea59834ec3bdcae6304f60f49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774237536&Signature=rmgld9x39huQoZokOZEU%2Fom7Zo3DZwxPyIY6VvGpkYwIXdEo2IGYGgiA%2F75LOe2QmdJ0Q4uZDy5LsX0t2jiM%2B4WePTrJ6%2BSK2FgeUJsRq7GXDErhYh8wZVEfv3n57blHELTkUPnxbVaSqHb8%2FcbwlU9ox1C%2F%2BQRJDqtmVfG6OnC6O0MyYgrcJfKe2tC4LRS5ETSkgdA3Tm9aIwBruUNMzGQaW%2F7dQkoAEEofGoeseUrell" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 20, "domain": 9, "hostname": 68 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aa842cef967c844adef1de", "name": "CAPE Sandbox part 2 - see part 1", "description": "heartbreaking", "modified": "2026-04-05T11:04:28.804000", "created": "2026-03-06T07:37:16.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3905, "FileHash-SHA1": 3515, "FileHash-SHA256": 8002, "URL": 982, "hostname": 2532, "domain": 164, "email": 1 }, "indicator_count": 19101, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "input.name", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "input.name", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780342552.5070832 }