{ "type": "Domain", "indicator": "ksproxy.ax", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ksproxy.ax", "alexa": "http://www.alexa.com/siteinfo/ksproxy.ax", "indicator": "ksproxy.ax", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3390783568, "indicator": "ksproxy.ax", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 469, "hostname": 582, "domain": 62, "email": 3, "CVE": 6, "JA3": 1, "IPv4": 2 }, "indicator_count": 2680, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d950dbc842a74295895b0d", "name": "Sample of System 32 - Falcon Sandbox - 04.10.26", "description": "Hybrid Analysis Submission\nSearch: #UAlberta ( for collections )\n??Not Specific Threat = Still a Threat>", "modified": "2026-04-10T20:08:15.965000", "created": "2026-04-10T19:34:49.381000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "Vect", "Cobalt", "Toro" ], "references": [ "http://hybrid-analysis.com/file-collection/69d94f5658dcdf40f1074e01", "https://tinyurl.com/252q6ne7", "https://www.virustotal.com/gui/file/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168?nocache=1", "B2B0ED95FD75B73BE25B2E31E04CB345B2DFE7FA4346F08CF263DA2BFFA28E75", "http://hybrid-analysis.com/sample/d794f02f25f190f3f05b187e90714f2e73d0f92164875d294ae22f6f41bb4170", "http://hybrid-analysis.com/sample/d794f02f25f190f3f05b187e90714f2e73d0f92164875d294ae22f6f41bb4170/69cbfec09ed9a03a880abc50" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 379, "FileHash-MD5": 111, "FileHash-SHA1": 101, "domain": 43, "SSLCertFingerprint": 2, "URL": 4, "hostname": 1 }, "indicator_count": 641, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66787d5a6185154041c0a9fd", "name": "Copy of getting files onto OTX - Windows system32 sha256 dump (filtered)", "description": "", "modified": "2024-06-27T23:29:05.404000", "created": "2024-06-23T19:54:02.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "667879806fcf703f9b4b99de", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 865, "domain": 39, "hostname": 3 }, "indicator_count": 913, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "702 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667879806fcf703f9b4b99de", "name": "My workaround to getting files onto OTX - Windows system32 sha256 dump", "description": "I have been trying to create a pulse in regards to multiple files failing integrity checks as well as invalid signatures, some with no signatures, and unconfirmed IoC's pertaining to APT28. This is just to get the hashes and files names into the community. What i was having to do is use vt-cli on Linux to upload the files (which I'm still doing on due to API quota restrictions) and then just calculating the sha256's of the files directly, and then copy and pasting them into the create page. Take it as you will. Stay tuned.", "modified": "2024-06-23T19:37:36.619000", "created": "2024-06-23T19:37:36.619000", "tags": [ "dev56a0", "subsys3937", "deva780", "subsysd000", "management", "task", "clientad rms", "policy template", "refresh", "scan", "defender", "loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA256": 15578, "domain": 228, "hostname": 23 }, "indicator_count": 15848, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "706 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ee2668cad3bfce7a474d79", "name": "IOC's from my personal devices for the week starting 08/28/23 - leveraging Yara, overwhelmed", "description": "placeholder\n\nAt current I have well over 2000 detentions just on this one device - I'm working on getting everything presentable.", "modified": "2024-02-10T03:37:00.560000", "created": "2023-08-29T17:10:00.158000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f379639e77ae81f51fb1a6", "name": "IOC's from my personal devices for the week starting 08/28/23 (byMeekd1904) hmm?", "description": "", "modified": "2023-09-02T18:05:23.864000", "created": "2023-09-02T18:05:23.864000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": "64ee2668cad3bfce7a474d79", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "1001 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62221d71474b323d486dc3f2", "name": "WTF 2022", "description": "", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T14:08:49.518000", "tags": [], "references": [ "WTF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 587, "URL": 668, "hostname": 613, "domain": 1320, "FileHash-MD5": 59, "FileHash-SHA1": 2 }, "indicator_count": 3249, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "http://hybrid-analysis.com/sample/d794f02f25f190f3f05b187e90714f2e73d0f92164875d294ae22f6f41bb4170", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://tinyurl.com/252q6ne7", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://tria.ge/230825-pdyvdabe74", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "B2B0ED95FD75B73BE25B2E31E04CB345B2DFE7FA4346F08CF263DA2BFFA28E75", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "http://hybrid-analysis.com/file-collection/69d94f5658dcdf40f1074e01", "WTF.pdf", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "http://hybrid-analysis.com/sample/d794f02f25f190f3f05b187e90714f2e73d0f92164875d294ae22f6f41bb4170/69cbfec09ed9a03a880abc50", "https://www.virustotal.com/gui/file/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168?nocache=1" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "N/A", "@GRAMMERSoft" ], "malware_families": [ "Poet rat", "Trojanspy:win32/warpp", "Lsadump", "Trojan:linux/rootkit", "Spyeye", "Surtr", "Virus:win95/cerebrus", "Wimmie", "Irontiger", "Cobalt strike", "Shylock", "Trojandropper:win32/ponmocup" ], "industries": [ "Individuals" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 469, "hostname": 582, "domain": 62, "email": 3, "CVE": 6, "JA3": 1, "IPv4": 2 }, "indicator_count": 2680, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d950dbc842a74295895b0d", "name": "Sample of System 32 - Falcon Sandbox - 04.10.26", "description": "Hybrid Analysis Submission\nSearch: #UAlberta ( for collections )\n??Not Specific Threat = Still a Threat>", "modified": "2026-04-10T20:08:15.965000", "created": "2026-04-10T19:34:49.381000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "Vect", "Cobalt", "Toro" ], "references": [ "http://hybrid-analysis.com/file-collection/69d94f5658dcdf40f1074e01", "https://tinyurl.com/252q6ne7", "https://www.virustotal.com/gui/file/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168?nocache=1", "B2B0ED95FD75B73BE25B2E31E04CB345B2DFE7FA4346F08CF263DA2BFFA28E75", "http://hybrid-analysis.com/sample/d794f02f25f190f3f05b187e90714f2e73d0f92164875d294ae22f6f41bb4170", "http://hybrid-analysis.com/sample/d794f02f25f190f3f05b187e90714f2e73d0f92164875d294ae22f6f41bb4170/69cbfec09ed9a03a880abc50" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 379, "FileHash-MD5": 111, "FileHash-SHA1": 101, "domain": 43, "SSLCertFingerprint": 2, "URL": 4, "hostname": 1 }, "indicator_count": 641, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66787d5a6185154041c0a9fd", "name": "Copy of getting files onto OTX - Windows system32 sha256 dump (filtered)", "description": "", "modified": "2024-06-27T23:29:05.404000", "created": "2024-06-23T19:54:02.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "667879806fcf703f9b4b99de", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 865, "domain": 39, "hostname": 3 }, "indicator_count": 913, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "702 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667879806fcf703f9b4b99de", "name": "My workaround to getting files onto OTX - Windows system32 sha256 dump", "description": "I have been trying to create a pulse in regards to multiple files failing integrity checks as well as invalid signatures, some with no signatures, and unconfirmed IoC's pertaining to APT28. This is just to get the hashes and files names into the community. What i was having to do is use vt-cli on Linux to upload the files (which I'm still doing on due to API quota restrictions) and then just calculating the sha256's of the files directly, and then copy and pasting them into the create page. Take it as you will. Stay tuned.", "modified": "2024-06-23T19:37:36.619000", "created": "2024-06-23T19:37:36.619000", "tags": [ "dev56a0", "subsys3937", "deva780", "subsysd000", "management", "task", "clientad rms", "policy template", "refresh", "scan", "defender", "loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA256": 15578, "domain": 228, "hostname": 23 }, "indicator_count": 15848, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "706 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ee2668cad3bfce7a474d79", "name": "IOC's from my personal devices for the week starting 08/28/23 - leveraging Yara, overwhelmed", "description": "placeholder\n\nAt current I have well over 2000 detentions just on this one device - I'm working on getting everything presentable.", "modified": "2024-02-10T03:37:00.560000", "created": "2023-08-29T17:10:00.158000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f379639e77ae81f51fb1a6", "name": "IOC's from my personal devices for the week starting 08/28/23 (byMeekd1904) hmm?", "description": "", "modified": "2023-09-02T18:05:23.864000", "created": "2023-09-02T18:05:23.864000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": "64ee2668cad3bfce7a474d79", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "1001 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62221d71474b323d486dc3f2", "name": "WTF 2022", "description": "", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T14:08:49.518000", "tags": [], "references": [ "WTF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 587, "URL": 668, "hostname": 613, "domain": 1320, "FileHash-MD5": 59, "FileHash-SHA1": 2 }, "indicator_count": 3249, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ksproxy.ax", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ksproxy.ax", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780250220.6529748 }