{ "type": "Domain", "indicator": "lassocrm.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/lassocrm.com", "alexa": "http://www.alexa.com/siteinfo/lassocrm.com", "indicator": "lassocrm.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2008973550, "indicator": "lassocrm.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6a03fda1f49694a8a727a708", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:30.475000", "created": "2026-05-13T04:27:13.098000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 72, "FileHash-SHA256": 142, "URL": 217, "domain": 283, "hostname": 468, "FileHash-SHA1": 38, "Mutex": 1, "IPv4": 310, "CVE": 8, "IPv6": 4, "email": 2 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03fda242b90bf795becbec", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:02.327000", "created": "2026-05-13T04:27:14.063000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA256": 125, "URL": 137, "domain": 434, "hostname": 200, "FileHash-SHA1": 23, "Mutex": 1, "IPv4": 235, "CVE": 9, "email": 4, "IPv6": 3 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03fda0034d0da956e10d35", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-13T07:11:11.647000", "created": "2026-05-13T04:27:12.240000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA256": 7, "URL": 31, "domain": 224, "hostname": 13, "FileHash-SHA1": 7, "Mutex": 1, "IPv4": 207, "CVE": 8 }, "indicator_count": 512, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666646981c67b7ec964a7f62", "name": "checking more", "description": "", "modified": "2024-06-10T00:36:05.060000", "created": "2024-06-10T00:19:36.874000", "tags": [], "references": [ "https://www.hybrid-analysis.com/sample/7a36b5b0ee19fd7f367bf5c321b32598d8e5f9ce38d3f46cad621334f4ac4794/64d6038800d015277f090693" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1077, "hostname": 113 }, "indicator_count": 1190, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e298af236c03fdd49226dd", "name": "IOC's from my personal devices for the week starting 08/21/23 - Pure Linux", "description": "It's becoming quite the wrestling match trying to get these pulses's created especially trying to utilize OTX's native uploader for the actual pulse; but after taking another persistent OS instance as a casualty I'm finally getting a workflow down. \n\nThis is all Linux starting this week; with a metric f*ck ton and frankly overwhelming amount of Yara matches I could only get a few to play outside of local analysis. But those include an apprently rooted libgo that landed on an Arch ISO as well as a CAchyOS ISO; a Dockerd that was hiding in the source {~/docker/bundles/binary) directory after cloning from gtihub earlier today as well as an unsolicited dsniff executable. Whatever this is also decided to leech off of and make a home out of the Cuda lib (/opt/cuda/ --- and as soon as I can get it uploaded a malicious ISO, and kernel out of the docker-desktop (/opt/docker-desktop) directory. Never a dull moment.", "modified": "2024-02-14T21:44:03.410000", "created": "2023-08-20T22:50:23.225000", "tags": [ "dukexternaldecl", "dukfilemacro", "duklinemacro", "duktape", "dukapinoreturn", "dukcompileeval", "dukcompilesafe", "null", "vaargs", "ecmascript", "date", "error", "push", "local", "internal", "returns", "value", "boostnocwchar", "indeterminate", "boostusefacet", "brief returns", "boosthasfacet", "gregor", "boost software", "license", "banner", "ipaddr", "author", "usage", "version", "anhth", "atlassian2", "cdn2", "devadmin", "haproxy3", "false", "team", "abba", "abcd", "acid", "adonis", "aeon", "afrodita", "agent", "akira", "alabama", "aldebaran", "aleph", "alex", "alexa", "alfa", "alien", "alina", "alisa", "alma", "alpha", "amigo", "amos", "anarchy", "andromeda", "angela", "anime", "anis", "anna", "anubis", "apache", "apollo", "april", "arch", "archie", "argos", "argus", "aria", "aris", "armageddon", "artemis", "asahi", "ashley", "assassin", "astra", "atom", "atomic", "august", "auriga", "aurora", "austin", "autorun", "avalanche", "avalon", "avenger", "aviator", "avril", "azrael", "baba", "babe", "baby", "babylon", "bach", "baidu", "bandung", "bank", "baobab", "bara", "baran", "baron", "barry", "bart", "basket", "batman", "bazar", "beer", "belarus", "belka", "belle", "benchmark", "benjamin", "benny", "bill", "bingo", "blackbox", "blackcat", "blackhole", "blacksun", "blaze", "blizzard", "blondie", "blood", "bluesky", "bnet", "bobo", "bomb", "bomber", "boom", "borg", "bounce", "bouncer", "boxer", "bridge", "buddy", "bullet", "bumblebee", "bunny", "burn", "caca", "caesar", "calendar", "calgary", "camel", "candle", "canvas", "cardinal", "cargo", "carpediem", "carrier", "casino", "casper", "cassini", "celine", "cerberus", "cetus", "chacha", "chantal", "cheap", "chester", "chewbacca", "chin", "citadel", "clarity", "class", "click", "clock", "cluster", "cobalt", "cobra", "coco", "coconut", "code", "coke", "combo", "comet", "comment", "comp", "conan", "config", "connector", "contact", "cookie", "cool", "corona", "cracker", "crash", "crawl", "crazy", "crew", "crime", "crimson", "crypton", "crystal", "cuba", "cyber", "cyrus", "dada", "dani", "daniel", "dark", "darkman", "darkness", "darkside", "darkstar", "daum", "david", "davis", "dbase", "death", "deimos", "delphi", "delta", "demo", "democracy", "dennis", "depot", "derek", "designer", "desktop", "dexter", "dharma", "diablo", "dialer", "diego", "diesel", "digi", "dima", "dino", "direct", "divine", "django", "dock", "dodo", "dolphin", "domino", "donald", "doom", "dora", "dotnet", "dracula", "dragon", "drop", "drweb", "dude", "duke", "dummy", "dump", "dune", "dust", "duster", "easy", "echelon", "eclipse", "eddie", "eddy", "elaine", "eleanor", "elisa", "elite", "emilia", "emma", "empire", "encrypt", "energy", "epsilon", "equinox", "eris", "esmeralda", "esupport", "eternal", "eternity", "euclid", "evil", "excalibur", "exodus", "experiment", "explorer", "express", "face", "facebook", "factory", "faisal", "fastcash", "feedme", "fenrir", "feri", "fiesta", "final", "finger", "firebird", "firefly", "first", "flamingo", "flash", "flex", "floyd", "flux", "fortune", "foryou", "foxy", "freddy", "freedom", "freeweb", "frodo", "frog", "front", "frozen", "fruit", "funky", "fury", "gaga", "galaxy", "galileo", "gamma", "gate", "gauss", "general", "generator", "genome", "giga", "gigi", "ginger", "girls", "glacier", "globe", "gloria", "goblin", "gogo", "golf", "gollum", "gondor", "gotcha", "graphite", "groove", "guard", "habbo", "hair", "hale", "hamster", "happytime", "harmony", "harrier", "havoc", "hawk", "hehe", "hell", "hello", "helpme", "hermit", "hino", "hippo", "honeypot", "hook", "horror", "hoster", "hotmail", "hunter", "hydra", "ibank", "icarus", "ident", "igloo", "iloveyou", "immortal", "impact", "import", "incom", "incubator", "indra", "inex", "inferno", "infinity", "info", "infra", "insane", "inside", "inter", "iowa", "iron", "iservice", "istanbul", "ivan", "jackson", "jaka", "jason", "jedi", "jeff", "jigsaw", "jimmy", "jinx", "john", "johnny", "joker", "joshi", "jquery", "judy", "julia", "juliet", "julius", "june", "juno", "justin", "kaiser", "kala", "kali", "kami", "kamikaze", "kamil", "kappa", "karin", "karina", "karma", "kato", "katy", "keeper", "kevin", "kiev", "killer", "kilo", "kiwi", "koko", "krasnodar", "krypton", "kurgan", "lana", "landmark", "lapis", "larry", "lazarus", "lazy", "leda", "legacy", "leon", "levi", "leviathan", "light", "lilith", "lilo", "lime", "little", "liza", "lizard", "logger", "logic", "loke", "loki", "lola", "loli", "lolita", "lolol", "look", "loulou", "love", "lucia", "lucky", "lucy", "luna", "lust", "madmax", "mafia", "magazine", "magento", "maggie", "magic", "magnum", "mailto", "maker", "mamba", "mami", "mandrake", "mania", "manuel", "marina", "mario", "mark", "markus", "marlboro", "martin", "maru", "mask", "massmail", "matrix", "maverick", "maximus", "maya", "mayak", "maze", "media", "medusa", "mensa", "mercurial", "mercury", "merlin", "meta", "metal", "metallica", "meteor", "metro", "mexico", "michael", "mikey", "mine", "mini", "minotaur", "minsk", "mint", "mira", "miso", "mission", "model", "monster", "moran", "mordor", "mozart", "multi", "murphy", "mylove", "nazgul", "nebula", "neko", "netmail", "neuro", "neuron", "nevada", "nexus", "night", "nightmare", "nikita", "niko", "nina", "ninja", "nirvana", "nitro", "nomad", "nono", "noob", "northstar", "nova", "nuke", "oblivion", "octopus", "ogre", "olga", "olivia", "omni", "ontario", "open", "orinoco", "oscar", "otto", "outside", "ozzy", "pacman", "pamela", "panama", "panda", "pandora", "panic", "paradox", "paraguay", "paranoia", "paris", "pass", "passmark", "path", "payment", "pedro", "pepe", "pepper", "perseus", "phantom", "philadelphia", "phoenix", "phpbb", "picasso", "pigeon", "pikachu", "pinger", "pingpong", "pinky", "pioneer", "pirate", "piter", "pixel", "pizza", "plasma", "pluto", "police", "pony", "porno", "posta", "prague", "predator", "prestige", "primus", "prism", "privat", "probe", "problem", "proj", "project", "prometheus", "prophet", "protect", "proteus", "proton", "puma", "punk", "python", "quake", "quartz", "quasar", "r2d2", "race", "ragnarok", "raid", "rainbow", "rambo", "rana", "ranger", "rape", "rapid", "raptor", "ravi", "razor", "reboot", "recon", "rector", "reda", "redir", "redirector", "redline", "refresh", "reklam", "relax", "rescue", "retro", "rhino", "rigel", "riot", "robin", "robinhood", "robo", "rock", "rocket", "rogue", "roma", "rosebud", "roxy", "ruby", "runner", "rush", "sadmin", "saigon", "sailor", "sakura", "salsa", "samurai", "sanctuary", "sandbox", "sandra", "sandy", "sapphire", "sara", "sarah", "satan", "saturn", "sauron", "savenow", "school", "seeker", "sentinel", "seraph", "serena", "serg", "service", "servidor", "sexy", "shadow", "shaggy", "shaman", "shane", "sharepoint", "shark", "shell", "sherlock", "silent", "simba", "simplex", "sirius", "skinner", "skipper", "skynet", "slash", "slice", "slim", "smash", "smog", "snake", "sniper", "snow", "snowflake", "sochi", "solid", "sonic", "sora", "soul", "spark", "sparkle", "sparta", "spartacus", "spawn", "spectre", "sphinx", "spice", "spin", "spirit", "splash", "spooky", "sport", "squirrel", "star", "stark", "stealth", "steel", "stop", "story", "striker", "stub", "styx", "sugar", "sunny", "sunset", "super", "supernova", "supervisor", "supra", "suri", "survey", "sweet", "sword", "sysadmin", "target", "tarot", "taurus", "teamo", "techno", "telecom", "template", "terminal", "terra", "terre", "testapi", "tetris", "thebe", "theta", "thor", "tibia", "tick", "ticker", "tiger", "tigger", "tiny", "titan", "titanic", "tokyo", "toolbar", "torun", "trace", "trailer", "trash", "trident", "trigger", "trinity", "tripoli", "triton", "troll", "tron", "troy", "tsunami", "tula", "twister", "twitter", "ultimate", "uranus", "uruguay", "valencia", "valentine", "valeria", "vampire", "vanguard", "venus", "victor", "vidar", "vienna", "viper", "voice", "voodoo", "voronezh", "vortex", "voyager", "vulcano", "waffle", "wagner", "walker", "wallpaper", "walrus", "wanderer", "warrior", "webadmin", "webdav", "websearch", "webview", "wedge", "westnet", "whiterose", "wide", "widget", "willow", "win4", "window", "winnie", "winnt", "wolf", "wraith", "write", "wuhan", "xanadu", "xena", "xenon", "xmail", "xpress", "yang", "youth", "yoyo", "yume", "zeppelin", "zero", "zeus", "zhang", "zimbra", "zion", "zombie", "zona", "zorro", "zulu", "NativeAPI" ], "references": [ "duktape.h", "tribool_io.hpp", "dnsspider", "libgo.so.22.0.0", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4/64e43114272b03328005b88b", "/opt/cuda", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0/64e3ff9747b24214820d5c1a", "https://hybrid-analysis.com/sample/32bc49b0d1d7aba6742b0e81dc0105c54bd5c9f32321f96b1594fbbe36692880", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef/64e3ffbd15668ff65803bf54", "dockerd", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0", "https://hybrid-analysis.com/sample/0d4a7cda209c9701bc4cd19aac861d2be8aa1ce6258922d64e711de3d9bad2ae/64e679f61825d88cf802a74d", "https://hybrid-analysis.com/sample/b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c/64e52411dbff7da2f4065fe7", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef", "https://hybrid-analysis.com/sample/1ba7314785f705d0a3db7a3a8ae1da4fe11a2f776287ce3aabc3f3931469447b/64e67888f8d1145b63007ad1", "https://hybrid-analysis.com/sample/27c46f4f186b2168b1d37057378b58667151088cea24c8944d539d251d0b7f6d/64e678fba4a2aff1640fc39a" ], "public": 1, "adversary": "TBD", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 152, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 676, "URL": 1068, "domain": 11442, "email": 36, "hostname": 1862, "FileHash-MD5": 2000, "FileHash-SHA256": 1082 }, "indicator_count": 18166, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d7b50681961fa5e507b6b3", "name": "Phishing links piped to my personal devices", "description": "IOC's from an ongoing attack stemming from January 2022. This pulse will be malicious or phishing links piped to my personal devices by the threat actor.", "modified": "2024-02-10T03:14:05.379000", "created": "2023-08-12T16:36:22.687000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "http://hybrid-analysis.com/sample/4d8c2597fa65831b53c1cf32f418852f59f574c8811e9005121a5f6340b419de", "http://hybrid-analysis.com/sample/aa9862795c36c1eb69e665ffb00eb26e357f78e834fde753c823ff093199ed5d/64512d1b26a4544a2e012b74" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "individials" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 692, "FileHash-SHA1": 169, "FileHash-SHA256": 297, "URL": 895, "domain": 3465, "email": 5, "hostname": 521, "CVE": 4 }, "indicator_count": 6048, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a05f90fecc8ca5ef695c", "name": "IOC's from my personal devices for the week starting 08/21/23 - Pure Linux", "description": "", "modified": "2023-12-06T16:25:02.930000", "created": "2023-12-06T16:25:02.930000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2821, "hostname": 464, "email": 26, "URL": 978, "FileHash-MD5": 1139, "FileHash-SHA1": 541, "FileHash-SHA256": 839 }, "indicator_count": 6808, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6223f7716e04f48687adb8d8", "name": "Reported URLS", "description": "reported urls by a third party", "modified": "2022-03-05T23:51:13.163000", "created": "2022-03-05T23:51:13.163000", "tags": [ "domains", "URL", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tsagi727", "id": "183716", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 5, "modified_text": "1547 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "libgo.so.22.0.0", "https://hybrid-analysis.com/sample/27c46f4f186b2168b1d37057378b58667151088cea24c8944d539d251d0b7f6d/64e678fba4a2aff1640fc39a", "https://hybrid-analysis.com/sample/0d4a7cda209c9701bc4cd19aac861d2be8aa1ce6258922d64e711de3d9bad2ae/64e679f61825d88cf802a74d", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0", "duktape.h", "dnsspider", "https://www.hybrid-analysis.com/sample/7a36b5b0ee19fd7f367bf5c321b32598d8e5f9ce38d3f46cad621334f4ac4794/64d6038800d015277f090693", "http://hybrid-analysis.com/sample/aa9862795c36c1eb69e665ffb00eb26e357f78e834fde753c823ff093199ed5d/64512d1b26a4544a2e012b74", "/opt/cuda", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef", "https://hybrid-analysis.com/sample/1ba7314785f705d0a3db7a3a8ae1da4fe11a2f776287ce3aabc3f3931469447b/64e67888f8d1145b63007ad1", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0/64e3ff9747b24214820d5c1a", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef/64e3ffbd15668ff65803bf54", "http://hybrid-analysis.com/sample/4d8c2597fa65831b53c1cf32f418852f59f574c8811e9005121a5f6340b419de", "https://hybrid-analysis.com/sample/b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c/64e52411dbff7da2f4065fe7", "dockerd", "https://hybrid-analysis.com/sample/32bc49b0d1d7aba6742b0e81dc0105c54bd5c9f32321f96b1594fbbe36692880", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4/64e43114272b03328005b88b", "tribool_io.hpp" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "N/A", "TBD" ], "malware_families": [], "industries": [ "Individials", "Individuals" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6a03fda1f49694a8a727a708", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:30.475000", "created": "2026-05-13T04:27:13.098000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 72, "FileHash-SHA256": 142, "URL": 217, "domain": 283, "hostname": 468, "FileHash-SHA1": 38, "Mutex": 1, "IPv4": 310, "CVE": 8, "IPv6": 4, "email": 2 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03fda242b90bf795becbec", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:02.327000", "created": "2026-05-13T04:27:14.063000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA256": 125, "URL": 137, "domain": 434, "hostname": 200, "FileHash-SHA1": 23, "Mutex": 1, "IPv4": 235, "CVE": 9, "email": 4, "IPv6": 3 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03fda0034d0da956e10d35", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-13T07:11:11.647000", "created": "2026-05-13T04:27:12.240000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA256": 7, "URL": 31, "domain": 224, "hostname": 13, "FileHash-SHA1": 7, "Mutex": 1, "IPv4": 207, "CVE": 8 }, "indicator_count": 512, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666646981c67b7ec964a7f62", "name": "checking more", "description": "", "modified": "2024-06-10T00:36:05.060000", "created": "2024-06-10T00:19:36.874000", "tags": [], "references": [ "https://www.hybrid-analysis.com/sample/7a36b5b0ee19fd7f367bf5c321b32598d8e5f9ce38d3f46cad621334f4ac4794/64d6038800d015277f090693" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1077, "hostname": 113 }, "indicator_count": 1190, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e298af236c03fdd49226dd", "name": "IOC's from my personal devices for the week starting 08/21/23 - Pure Linux", "description": "It's becoming quite the wrestling match trying to get these pulses's created especially trying to utilize OTX's native uploader for the actual pulse; but after taking another persistent OS instance as a casualty I'm finally getting a workflow down. \n\nThis is all Linux starting this week; with a metric f*ck ton and frankly overwhelming amount of Yara matches I could only get a few to play outside of local analysis. But those include an apprently rooted libgo that landed on an Arch ISO as well as a CAchyOS ISO; a Dockerd that was hiding in the source {~/docker/bundles/binary) directory after cloning from gtihub earlier today as well as an unsolicited dsniff executable. Whatever this is also decided to leech off of and make a home out of the Cuda lib (/opt/cuda/ --- and as soon as I can get it uploaded a malicious ISO, and kernel out of the docker-desktop (/opt/docker-desktop) directory. Never a dull moment.", "modified": "2024-02-14T21:44:03.410000", "created": "2023-08-20T22:50:23.225000", "tags": [ "dukexternaldecl", "dukfilemacro", "duklinemacro", "duktape", "dukapinoreturn", "dukcompileeval", "dukcompilesafe", "null", "vaargs", "ecmascript", "date", "error", "push", "local", "internal", "returns", "value", "boostnocwchar", "indeterminate", "boostusefacet", "brief returns", "boosthasfacet", "gregor", "boost software", "license", "banner", "ipaddr", "author", "usage", "version", "anhth", "atlassian2", "cdn2", "devadmin", "haproxy3", "false", "team", "abba", "abcd", "acid", "adonis", "aeon", "afrodita", "agent", "akira", "alabama", "aldebaran", "aleph", "alex", "alexa", "alfa", "alien", "alina", "alisa", "alma", "alpha", "amigo", "amos", "anarchy", "andromeda", "angela", "anime", "anis", "anna", "anubis", "apache", "apollo", "april", "arch", "archie", "argos", "argus", "aria", "aris", "armageddon", "artemis", "asahi", "ashley", "assassin", "astra", "atom", "atomic", "august", "auriga", "aurora", "austin", "autorun", "avalanche", "avalon", "avenger", "aviator", "avril", "azrael", "baba", "babe", "baby", "babylon", "bach", "baidu", "bandung", "bank", "baobab", "bara", "baran", "baron", "barry", "bart", "basket", "batman", "bazar", "beer", "belarus", "belka", "belle", "benchmark", "benjamin", "benny", "bill", "bingo", "blackbox", "blackcat", "blackhole", "blacksun", "blaze", "blizzard", "blondie", "blood", "bluesky", "bnet", "bobo", "bomb", "bomber", "boom", "borg", "bounce", "bouncer", "boxer", "bridge", "buddy", "bullet", "bumblebee", "bunny", "burn", "caca", "caesar", "calendar", "calgary", "camel", "candle", "canvas", "cardinal", "cargo", "carpediem", "carrier", "casino", "casper", "cassini", "celine", "cerberus", "cetus", "chacha", "chantal", "cheap", "chester", "chewbacca", "chin", "citadel", "clarity", "class", "click", "clock", "cluster", "cobalt", "cobra", "coco", "coconut", "code", "coke", "combo", "comet", "comment", "comp", "conan", "config", "connector", "contact", "cookie", "cool", "corona", "cracker", "crash", "crawl", "crazy", "crew", "crime", "crimson", "crypton", "crystal", "cuba", "cyber", "cyrus", "dada", "dani", "daniel", "dark", "darkman", "darkness", "darkside", "darkstar", "daum", "david", "davis", "dbase", "death", "deimos", "delphi", "delta", "demo", "democracy", "dennis", "depot", "derek", "designer", "desktop", "dexter", "dharma", "diablo", "dialer", "diego", "diesel", "digi", "dima", "dino", "direct", "divine", "django", "dock", "dodo", "dolphin", "domino", "donald", "doom", "dora", "dotnet", "dracula", "dragon", "drop", "drweb", "dude", "duke", "dummy", "dump", "dune", "dust", "duster", "easy", "echelon", "eclipse", "eddie", "eddy", "elaine", "eleanor", "elisa", "elite", "emilia", "emma", "empire", "encrypt", "energy", "epsilon", "equinox", "eris", "esmeralda", "esupport", "eternal", "eternity", "euclid", "evil", "excalibur", "exodus", "experiment", "explorer", "express", "face", "facebook", "factory", "faisal", "fastcash", "feedme", "fenrir", "feri", "fiesta", "final", "finger", "firebird", "firefly", "first", "flamingo", "flash", "flex", "floyd", "flux", "fortune", "foryou", "foxy", "freddy", "freedom", "freeweb", "frodo", "frog", "front", "frozen", "fruit", "funky", "fury", "gaga", "galaxy", "galileo", "gamma", "gate", "gauss", "general", "generator", "genome", "giga", "gigi", "ginger", "girls", "glacier", "globe", "gloria", "goblin", "gogo", "golf", "gollum", "gondor", "gotcha", "graphite", "groove", "guard", "habbo", "hair", "hale", "hamster", "happytime", "harmony", "harrier", "havoc", "hawk", "hehe", "hell", "hello", "helpme", "hermit", "hino", "hippo", "honeypot", "hook", "horror", "hoster", "hotmail", "hunter", "hydra", "ibank", "icarus", "ident", "igloo", "iloveyou", "immortal", "impact", "import", "incom", "incubator", "indra", "inex", "inferno", "infinity", "info", "infra", "insane", "inside", "inter", "iowa", "iron", "iservice", "istanbul", "ivan", "jackson", "jaka", "jason", "jedi", "jeff", "jigsaw", "jimmy", "jinx", "john", "johnny", "joker", "joshi", "jquery", "judy", "julia", "juliet", "julius", "june", "juno", "justin", "kaiser", "kala", "kali", "kami", "kamikaze", "kamil", "kappa", "karin", "karina", "karma", "kato", "katy", "keeper", "kevin", "kiev", "killer", "kilo", "kiwi", "koko", "krasnodar", "krypton", "kurgan", "lana", "landmark", "lapis", "larry", "lazarus", "lazy", "leda", "legacy", "leon", "levi", "leviathan", "light", "lilith", "lilo", "lime", "little", "liza", "lizard", "logger", "logic", "loke", "loki", "lola", "loli", "lolita", "lolol", "look", "loulou", "love", "lucia", "lucky", "lucy", "luna", "lust", "madmax", "mafia", "magazine", "magento", "maggie", "magic", "magnum", "mailto", "maker", "mamba", "mami", "mandrake", "mania", "manuel", "marina", "mario", "mark", "markus", "marlboro", "martin", "maru", "mask", "massmail", "matrix", "maverick", "maximus", "maya", "mayak", "maze", "media", "medusa", "mensa", "mercurial", "mercury", "merlin", "meta", "metal", "metallica", "meteor", "metro", "mexico", "michael", "mikey", "mine", "mini", "minotaur", "minsk", "mint", "mira", "miso", "mission", "model", "monster", "moran", "mordor", "mozart", "multi", "murphy", "mylove", "nazgul", "nebula", "neko", "netmail", "neuro", "neuron", "nevada", "nexus", "night", "nightmare", "nikita", "niko", "nina", "ninja", "nirvana", "nitro", "nomad", "nono", "noob", "northstar", "nova", "nuke", "oblivion", "octopus", "ogre", "olga", "olivia", "omni", "ontario", "open", "orinoco", "oscar", "otto", "outside", "ozzy", "pacman", "pamela", "panama", "panda", "pandora", "panic", "paradox", "paraguay", "paranoia", "paris", "pass", "passmark", "path", "payment", "pedro", "pepe", "pepper", "perseus", "phantom", "philadelphia", "phoenix", "phpbb", "picasso", "pigeon", "pikachu", "pinger", "pingpong", "pinky", "pioneer", "pirate", "piter", "pixel", "pizza", "plasma", "pluto", "police", "pony", "porno", "posta", "prague", "predator", "prestige", "primus", "prism", "privat", "probe", "problem", "proj", "project", "prometheus", "prophet", "protect", "proteus", "proton", "puma", "punk", "python", "quake", "quartz", "quasar", "r2d2", "race", "ragnarok", "raid", "rainbow", "rambo", "rana", "ranger", "rape", "rapid", "raptor", "ravi", "razor", "reboot", "recon", "rector", "reda", "redir", "redirector", "redline", "refresh", "reklam", "relax", "rescue", "retro", "rhino", "rigel", "riot", "robin", "robinhood", "robo", "rock", "rocket", "rogue", "roma", "rosebud", "roxy", "ruby", "runner", "rush", "sadmin", "saigon", "sailor", "sakura", "salsa", "samurai", "sanctuary", "sandbox", "sandra", "sandy", "sapphire", "sara", "sarah", "satan", "saturn", "sauron", "savenow", "school", "seeker", "sentinel", "seraph", "serena", "serg", "service", "servidor", "sexy", "shadow", "shaggy", "shaman", "shane", "sharepoint", "shark", "shell", "sherlock", "silent", "simba", "simplex", "sirius", "skinner", "skipper", "skynet", "slash", "slice", "slim", "smash", "smog", "snake", "sniper", "snow", "snowflake", "sochi", "solid", "sonic", "sora", "soul", "spark", "sparkle", "sparta", "spartacus", "spawn", "spectre", "sphinx", "spice", "spin", "spirit", "splash", "spooky", "sport", "squirrel", "star", "stark", "stealth", "steel", "stop", "story", "striker", "stub", "styx", "sugar", "sunny", "sunset", "super", "supernova", "supervisor", "supra", "suri", "survey", "sweet", "sword", "sysadmin", "target", "tarot", "taurus", "teamo", "techno", "telecom", "template", "terminal", "terra", "terre", "testapi", "tetris", "thebe", "theta", "thor", "tibia", "tick", "ticker", "tiger", "tigger", "tiny", "titan", "titanic", "tokyo", "toolbar", "torun", "trace", "trailer", "trash", "trident", "trigger", "trinity", "tripoli", "triton", "troll", "tron", "troy", "tsunami", "tula", "twister", "twitter", "ultimate", "uranus", "uruguay", "valencia", "valentine", "valeria", "vampire", "vanguard", "venus", "victor", "vidar", "vienna", "viper", "voice", "voodoo", "voronezh", "vortex", "voyager", "vulcano", "waffle", "wagner", "walker", "wallpaper", "walrus", "wanderer", "warrior", "webadmin", "webdav", "websearch", "webview", "wedge", "westnet", "whiterose", "wide", "widget", "willow", "win4", "window", "winnie", "winnt", "wolf", "wraith", "write", "wuhan", "xanadu", "xena", "xenon", "xmail", "xpress", "yang", "youth", "yoyo", "yume", "zeppelin", "zero", "zeus", "zhang", "zimbra", "zion", "zombie", "zona", "zorro", "zulu", "NativeAPI" ], "references": [ "duktape.h", "tribool_io.hpp", "dnsspider", "libgo.so.22.0.0", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4/64e43114272b03328005b88b", "/opt/cuda", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0/64e3ff9747b24214820d5c1a", "https://hybrid-analysis.com/sample/32bc49b0d1d7aba6742b0e81dc0105c54bd5c9f32321f96b1594fbbe36692880", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef/64e3ffbd15668ff65803bf54", "dockerd", "https://hybrid-analysis.com/sample/a55c43184ee4ec03a636b357e8fef5ce2e8fde34f61a28610d4ca285db9b07e4", "https://hybrid-analysis.com/sample/db47ed2f22009cab171b7d16ec3462258ddf7bed0a6a9af198e5394e783198c0", "https://hybrid-analysis.com/sample/0d4a7cda209c9701bc4cd19aac861d2be8aa1ce6258922d64e711de3d9bad2ae/64e679f61825d88cf802a74d", "https://hybrid-analysis.com/sample/b2efd5e0c2f695063a8bce40c8182aa70f33c4b1b77d232b7530d89fb9646f0c/64e52411dbff7da2f4065fe7", "https://hybrid-analysis.com/sample/bad3965a417d2fd936116414be04591aedc9275d3c545b3709334d3805d69bef", "https://hybrid-analysis.com/sample/1ba7314785f705d0a3db7a3a8ae1da4fe11a2f776287ce3aabc3f3931469447b/64e67888f8d1145b63007ad1", "https://hybrid-analysis.com/sample/27c46f4f186b2168b1d37057378b58667151088cea24c8944d539d251d0b7f6d/64e678fba4a2aff1640fc39a" ], "public": 1, "adversary": "TBD", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 152, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 676, "URL": 1068, "domain": 11442, "email": 36, "hostname": 1862, "FileHash-MD5": 2000, "FileHash-SHA256": 1082 }, "indicator_count": 18166, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d7b50681961fa5e507b6b3", "name": "Phishing links piped to my personal devices", "description": "IOC's from an ongoing attack stemming from January 2022. This pulse will be malicious or phishing links piped to my personal devices by the threat actor.", "modified": "2024-02-10T03:14:05.379000", "created": "2023-08-12T16:36:22.687000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "http://hybrid-analysis.com/sample/4d8c2597fa65831b53c1cf32f418852f59f574c8811e9005121a5f6340b419de", "http://hybrid-analysis.com/sample/aa9862795c36c1eb69e665ffb00eb26e357f78e834fde753c823ff093199ed5d/64512d1b26a4544a2e012b74" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "individials" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 692, "FileHash-SHA1": 169, "FileHash-SHA256": 297, "URL": 895, "domain": 3465, "email": 5, "hostname": 521, "CVE": 4 }, "indicator_count": 6048, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a05f90fecc8ca5ef695c", "name": "IOC's from my personal devices for the week starting 08/21/23 - Pure Linux", "description": "", "modified": "2023-12-06T16:25:02.930000", "created": "2023-12-06T16:25:02.930000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2821, "hostname": 464, "email": 26, "URL": 978, "FileHash-MD5": 1139, "FileHash-SHA1": 541, "FileHash-SHA256": 839 }, "indicator_count": 6808, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6223f7716e04f48687adb8d8", "name": "Reported URLS", "description": "reported urls by a third party", "modified": "2022-03-05T23:51:13.163000", "created": "2022-03-05T23:51:13.163000", "tags": [ "domains", "URL", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tsagi727", "id": "183716", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 5, "modified_text": "1547 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "lassocrm.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "lassocrm.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214355.2883663 }