{ "type": "Domain", "indicator": "mode.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mode.com", "alexa": "http://www.alexa.com/siteinfo/mode.com", "indicator": "mode.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain mode.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2181209243, "indicator": "mode.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "6a01354e0f96f44818129b27", "name": "W11 - 05.08.26 - ASUS Clone_UAlberta AHS GoA - Files Only", "description": "Scan of AHS/Covenant Health, UAlberta, GoA Domain Joined Device\nW11 - 05.08.26 - P1-P6\nRestricted", "modified": "2026-05-11T17:13:37.959000", "created": "2026-05-11T01:47:58.771000", "tags": [ "YARA", "Jupyter_infostealer", "dependsonpythonailib", "classified", "CP_Script_Inject_Detector", "vmdetect", "Check_Dlls", "NET\thttps://yaraify.abuse.ch/search/yara/NET/", "Sus_CMD_Powershell_Usage", "test_rule_vldslv", "FreddyBearDropper" ], "references": [ "https://www.virustotal.com/graph/embed/g3944caf296a54705bdbfd7cec9e92c05e20a53d0d3814c17b06bc7057c5b2472?theme=dark", "https://www.virustotal.com/gui/collection/91b6e1b77529d1af156e6626798d259c4cef8c366359f7bd030f84a8f6e16844/iocs", "https://www.virustotal.com/graph/embed/gf16ea757421742d8b025d78d53b5bdbc437ba572bcd440ec9b1537d454bd7141?theme=dark", "https://www.virustotal.com/gui/collection/207a9894ae39ecf054b7beae2c3d3bf8cc7978562eab9a17d7c8e1db95c634df/iocs", "https://www.virustotal.com/graph/embed/gca730d4ad5d04cd9932324db97a38c0b7b4cdb8848264962ab20ef48b3e00704?theme=dark", "https://www.virustotal.com/gui/collection/f1139bc311b44effd63c5f3c895386ffb5a15c012d0e1b3efcdad7a9f43af977/iocs", "https://www.virustotal.com/gui/collection/c42190433e95fe4960d3c57ec81e869fd063c7c98fe08de1e61c5c7b82ce7951/iocs", "https://www.virustotal.com/gui/collection/c01ec3ced8ca33a975e8f41324fe1f9cf2a3e5682137084e8f61c09d3121c3c8/iocs", "https://www.virustotal.com/gui/collection/3be31d72071834427b2c433fc5bf71a8288a47ed83012931ac676d56597415ce/iocs", "https://metadefender.com/results/file/bzI2MDUxMWc0TkVtTmRpT3g3eUh5VnhWTmZV", "https://www.virustotal.com/gui/file/caf6170928c2aa757b4b40593ee640353163e51777f1e41a2cb6e0e46c000b28/detection", "https://www.filescan.io/uploads/6a01fd27df14f1cb2ad02927/reports/5891da9f-7e53-46ae-a484-185895cae2d7/overview", "https://opentip.kaspersky.com/CAF6170928C2AA757B4B40593EE640353163E51777F1E41A2CB6E0E46C000B28/results?tab=upload", "https://yaraify.abuse.ch/scan/results/0890b04c-4d59-11f1-badc-42010aa4000b", "https://hybrid-analysis.com/file-collection/6a020a3c5aacd57afc0aa061" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21693, "FileHash-SHA1": 1413, "FileHash-SHA256": 1420, "domain": 26, "hostname": 24 }, "indicator_count": 24576, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b48ea78085bbda7a865868", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-12T22:04:09.704000", "created": "2026-03-13T22:24:39.736000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 14, "domain": 13, "hostname": 37 }, "indicator_count": 124, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "48 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b49187d33c6df06eed1b57", "name": "vxCube \u2014 Report", "description": "need to strudy sample furrher prelim look unauth. google cloud domain use", "modified": "2026-04-12T00:05:39.579000", "created": "2026-03-13T22:36:55.274000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4296, "FileHash-SHA1": 5, "URL": 6, "domain": 15, "hostname": 18, "FileHash-SHA256": 4 }, "indicator_count": 4344, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e9c8e63a72c7cb531a58ba", "name": "08.09.24 URLscanio 2 weeks.csv", "description": "", "modified": "2025-10-25T02:09:23.619000", "created": "2024-09-17T18:22:30.731000", "tags": [], "references": [ "https://x.com/NorrisN60014/status/1836092481978486802", "https://x.com/NorrisN60014/status/1836092481978486802", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 6, "URL": 1074, "domain": 1530, "email": 2, "hostname": 2849 }, "indicator_count": 5464, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bf266b6fcd9faea7066e4a", "name": "Malwarebytes - Compromised Host | Injector | Simba | System Hijacking", "description": "\"Bundled Files: Malwarebytes.Premium.prem.com:\nMalicious noses sound in Malwarebytes with capabilities to infect entire system, bios (all). Complete CnC. High priority malicious.\nALF:JASYP:PUAWin32/Bibado!atmn\nBackdoor.Win32.Shiz.ivr\nGeneric\nSimda\nVirTool:Win32/Injector.gen!BQ\nWin.Trojan.Agent-316098\nWin.Trojan.Agent-316117", "modified": "2024-09-15T07:02:25.374000", "created": "2024-08-16T10:14:03.907000", "tags": [ "historical ssl", "threat network", "infrastructure", "referrer", "adversaries", "information", "win32diskdrive", "win32processor", "windows", "registry run", "registers", "flow t1574", "dll sideloading", "powershell", "window", "modify registry", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 memory", "b0002 guard", "virtual machine", "detection b0009", "check registry", "check", "cnamazon rsa", "m02 oamazon", "number", "cus subject", "data", "m01 oamazon", "dns resolutions", "ip traffic", "memory pattern", "domains", "hashes", "user", "peexe c", "text c", "menu c", "menuprograms c", "games c", "text", "ttf c", "file system", "defender c", "desktop", "analyzer paste", "iocs", "hostnames", "url https", "samples", "generic malware", "tag count", "tue apr", "analyzer threat", "url summary", "ip summary", "summary", "sample", "first", "generic", "united", "mail spammer", "host", "cins active", "poor reputation", "detection list", "ip address", "blacklist", "malicious host", "team http", "cisco umbrella", "site", "safe site", "alexa top", "million", "fuery", "malware", "presenoker", "team", "riskware", "artemis", "passive dns", "as44273 host", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "unknown", "germany unknown", "bq aug", "virtool", "ipv4", "main", "related pulses", "file samples", "files matching", "show", "search", "date hash", "showing", "next", "win32", "nxdomain", "ip related", "gmt content", "type", "x frame", "sameorigin x", "xss protection", "encrypt", "asnone united", "title error", "pulse submit", "url analysis", "date", "status", "creation date", "name servers", "hostname", "urls http", "msie", "windows nt", "slcc2", "media center", "suspicious", "verisign", "simda", "copy", "possible", "class", "write", "code", "win32 exe", "available from", "services", "registry tech", "server", "registrar abuse", "dnssec", "registrant name", "ninite", "dns replication", "technology", "bq jun", "bq jul", "domain status", "domain name", "contact email", "contact phone", "full name", "algorithm", "v3 serial", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "avast avg", "entries", "exclusionpath", "created", "shell commands", "processes tree", "silent log", "norestart", "k wersvcgroup", "pss s", "k wsappx", "signals mutexes", "mutexes", "global", "synchronization", "dataset", "system property", "lookups", "select index", "macaddress", "adaptertypeid0", "win32bios", "index0", "where index0", "select uuid", "self-delete", "persistence", "macro-powershell", "long-sleeps", "calls-wmi", "checks-bios", "checks-disk-space", "checks-memory-available", "checks-network-adapters", "checks-usb-bus", "checks-user-input", "crypto", "detect-debug-environment", "dos batch", "file type", "pe resource", "malicious", "socks5systemz", "nushell", "autodiscovery", "cookietheft", "twitter ad", "dos batch file", "t1064 executes", "mitre att", "ta0002 command", "t1059 uses", "dlls privilege", "dlls defense", "evasion ta0005" ], "references": [ "Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip", "MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com", "Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep", "Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113", "Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements", "Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st", "Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems)", "Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea)", "Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems)", "VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e", "Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat", "IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0", "Yara Detections: generic_shellcode_downloader", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content", "Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "Win.Trojan.Istbar-231", "display_name": "Win.Trojan.Istbar-231", "target": null }, { "id": "ALF:JASYP:PUAWin32/Bibado!atmn", "display_name": "ALF:JASYP:PUAWin32/Bibado!atmn", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Backdoor.Win32.Shiz.ivr", "display_name": "Backdoor.Win32.Shiz.ivr", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Win.Trojan.Agent-316117", "display_name": "Win.Trojan.Agent-316117", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1848, "FileHash-MD5": 1826, "FileHash-SHA1": 1296, "domain": 152, "hostname": 265, "URL": 132, "email": 2 }, "indicator_count": 5521, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c52fe96ef88583efb8484f", "name": "Compromised Host - Malwarebytes | Injector | Simba | System Hijacking", "description": "", "modified": "2024-09-15T07:02:25.374000", "created": "2024-08-21T00:08:09.738000", "tags": [ "historical ssl", "threat network", "infrastructure", "referrer", "adversaries", "information", "win32diskdrive", "win32processor", "windows", "registry run", "registers", "flow t1574", "dll sideloading", "powershell", "window", "modify registry", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 memory", "b0002 guard", "virtual machine", "detection b0009", "check registry", "check", "cnamazon rsa", "m02 oamazon", "number", "cus subject", "data", "m01 oamazon", "dns resolutions", "ip traffic", "memory pattern", "domains", "hashes", "user", "peexe c", "text c", "menu c", "menuprograms c", "games c", "text", "ttf c", "file system", "defender c", "desktop", "analyzer paste", "iocs", "hostnames", "url https", "samples", "generic malware", "tag count", "tue apr", "analyzer threat", "url summary", "ip summary", "summary", "sample", "first", "generic", "united", "mail spammer", "host", "cins active", "poor reputation", "detection list", "ip address", "blacklist", "malicious host", "team http", "cisco umbrella", "site", "safe site", "alexa top", "million", "fuery", "malware", "presenoker", "team", "riskware", "artemis", "passive dns", "as44273 host", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "unknown", "germany unknown", "bq aug", "virtool", "ipv4", "main", "related pulses", "file samples", "files matching", "show", "search", "date hash", "showing", "next", "win32", "nxdomain", "ip related", "gmt content", "type", "x frame", "sameorigin x", "xss protection", "encrypt", "asnone united", "title error", "pulse submit", "url analysis", "date", "status", "creation date", "name servers", "hostname", "urls http", "msie", "windows nt", "slcc2", "media center", "suspicious", "verisign", "simda", "copy", "possible", "class", "write", "code", "win32 exe", "available from", "services", "registry tech", "server", "registrar abuse", "dnssec", "registrant name", "ninite", "dns replication", "technology", "bq jun", "bq jul", "domain status", "domain name", "contact email", "contact phone", "full name", "algorithm", "v3 serial", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "avast avg", "entries", "exclusionpath", "created", "shell commands", "processes tree", "silent log", "norestart", "k wersvcgroup", "pss s", "k wsappx", "signals mutexes", "mutexes", "global", "synchronization", "dataset", "system property", "lookups", "select index", "macaddress", "adaptertypeid0", "win32bios", "index0", "where index0", "select uuid", "self-delete", "persistence", "macro-powershell", "long-sleeps", "calls-wmi", "checks-bios", "checks-disk-space", "checks-memory-available", "checks-network-adapters", "checks-usb-bus", "checks-user-input", "crypto", "detect-debug-environment", "dos batch", "file type", "pe resource", "malicious", "socks5systemz", "nushell", "autodiscovery", "cookietheft", "twitter ad", "dos batch file", "t1064 executes", "mitre att", "ta0002 command", "t1059 uses", "dlls privilege", "dlls defense", "evasion ta0005" ], "references": [ "Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip", "MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com", "Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep", "Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113", "Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements", "Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st", "Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems)", "Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea)", "Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems)", "VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e", "Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat", "IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0", "Yara Detections: generic_shellcode_downloader", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content", "Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "Win.Trojan.Istbar-231", "display_name": "Win.Trojan.Istbar-231", "target": null }, { "id": "ALF:JASYP:PUAWin32/Bibado!atmn", "display_name": "ALF:JASYP:PUAWin32/Bibado!atmn", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Backdoor.Win32.Shiz.ivr", "display_name": "Backdoor.Win32.Shiz.ivr", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Win.Trojan.Agent-316117", "display_name": "Win.Trojan.Agent-316117", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "66bf266b6fcd9faea7066e4a", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1848, "FileHash-MD5": 1826, "FileHash-SHA1": 1296, "domain": 152, "hostname": 265, "URL": 132, "email": 2 }, "indicator_count": 5521, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66787d5a6185154041c0a9fd", "name": "Copy of getting files onto OTX - Windows system32 sha256 dump (filtered)", "description": "", "modified": "2024-06-27T23:29:05.404000", "created": "2024-06-23T19:54:02.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "667879806fcf703f9b4b99de", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 865, "domain": 39, "hostname": 3 }, "indicator_count": 913, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "702 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667879806fcf703f9b4b99de", "name": "My workaround to getting files onto OTX - Windows system32 sha256 dump", "description": "I have been trying to create a pulse in regards to multiple files failing integrity checks as well as invalid signatures, some with no signatures, and unconfirmed IoC's pertaining to APT28. This is just to get the hashes and files names into the community. What i was having to do is use vt-cli on Linux to upload the files (which I'm still doing on due to API quota restrictions) and then just calculating the sha256's of the files directly, and then copy and pasting them into the create page. Take it as you will. Stay tuned.", "modified": "2024-06-23T19:37:36.619000", "created": "2024-06-23T19:37:36.619000", "tags": [ "dev56a0", "subsys3937", "deva780", "subsysd000", "management", "task", "clientad rms", "policy template", "refresh", "scan", "defender", "loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA256": 15578, "domain": 228, "hostname": 23 }, "indicator_count": 15848, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "706 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62221d71474b323d486dc3f2", "name": "WTF 2022", "description": "", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T14:08:49.518000", "tags": [], "references": [ "WTF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 587, "URL": 668, "hostname": 613, "domain": 1320, "FileHash-MD5": 59, "FileHash-SHA1": 2 }, "indicator_count": 3249, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113", "https://www.virustotal.com/gui/collection/c01ec3ced8ca33a975e8f41324fe1f9cf2a3e5682137084e8f61c09d3121c3c8/iocs", "https://www.filescan.io/uploads/6a01fd27df14f1cb2ad02927/reports/5891da9f-7e53-46ae-a484-185895cae2d7/overview", "https://www.virustotal.com/gui/collection/3be31d72071834427b2c433fc5bf71a8288a47ed83012931ac676d56597415ce/iocs", "Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53", "MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com", "WTF.pdf", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://www.virustotal.com/graph/embed/g3944caf296a54705bdbfd7cec9e92c05e20a53d0d3814c17b06bc7057c5b2472?theme=dark", "https://www.virustotal.com/gui/collection/207a9894ae39ecf054b7beae2c3d3bf8cc7978562eab9a17d7c8e1db95c634df/iocs", "https://opentip.kaspersky.com/CAF6170928C2AA757B4B40593EE640353163E51777F1E41A2CB6E0E46C000B28/results?tab=upload", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0", "https://n0paste.eu/UH6n5pD/", "Yara Detections: generic_shellcode_downloader", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "https://hybrid-analysis.com/file-collection/6a020a3c5aacd57afc0aa061", "https://x.com/NorrisN60014/status/1836092481978486802", "https://www.virustotal.com/gui/collection/f1139bc311b44effd63c5f3c895386ffb5a15c012d0e1b3efcdad7a9f43af977/iocs", "VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e", "Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea)", "https://www.virustotal.com/graph/embed/gca730d4ad5d04cd9932324db97a38c0b7b4cdb8848264962ab20ef48b3e00704?theme=dark", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://www.virustotal.com/graph/embed/gf16ea757421742d8b025d78d53b5bdbc437ba572bcd440ec9b1537d454bd7141?theme=dark", "https://metadefender.com/results/file/bzI2MDUxMWc0TkVtTmRpT3g3eUh5VnhWTmZV", "https://yaraify.abuse.ch/scan/results/0890b04c-4d59-11f1-badc-42010aa4000b", "Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems)", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements", "https://www.virustotal.com/gui/collection/91b6e1b77529d1af156e6626798d259c4cef8c366359f7bd030f84a8f6e16844/iocs", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content", "https://www.virustotal.com/gui/file/caf6170928c2aa757b4b40593ee640353163e51777f1e41a2cb6e0e46c000b28/detection", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn", "Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st", "Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "https://www.virustotal.com/gui/collection/c42190433e95fe4960d3c57ec81e869fd063c7c98fe08de1e61c5c7b82ce7951/iocs", "Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat", "Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Backdoor.win32.shiz.ivr", "Win.trojan.agent-316117", "Simda", "Alf:jasyp:puawin32/bibado!atmn", "Generic", "Win.trojan.agent-316098", "Win.trojan.istbar-231", "Virtool:win32/injector.gen!bq" ], "industries": [ "Education", "Government", "Technology", "Healthcare", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "6a01354e0f96f44818129b27", "name": "W11 - 05.08.26 - ASUS Clone_UAlberta AHS GoA - Files Only", "description": "Scan of AHS/Covenant Health, UAlberta, GoA Domain Joined Device\nW11 - 05.08.26 - P1-P6\nRestricted", "modified": "2026-05-11T17:13:37.959000", "created": "2026-05-11T01:47:58.771000", "tags": [ "YARA", "Jupyter_infostealer", "dependsonpythonailib", "classified", "CP_Script_Inject_Detector", "vmdetect", "Check_Dlls", "NET\thttps://yaraify.abuse.ch/search/yara/NET/", "Sus_CMD_Powershell_Usage", "test_rule_vldslv", "FreddyBearDropper" ], "references": [ "https://www.virustotal.com/graph/embed/g3944caf296a54705bdbfd7cec9e92c05e20a53d0d3814c17b06bc7057c5b2472?theme=dark", "https://www.virustotal.com/gui/collection/91b6e1b77529d1af156e6626798d259c4cef8c366359f7bd030f84a8f6e16844/iocs", "https://www.virustotal.com/graph/embed/gf16ea757421742d8b025d78d53b5bdbc437ba572bcd440ec9b1537d454bd7141?theme=dark", "https://www.virustotal.com/gui/collection/207a9894ae39ecf054b7beae2c3d3bf8cc7978562eab9a17d7c8e1db95c634df/iocs", "https://www.virustotal.com/graph/embed/gca730d4ad5d04cd9932324db97a38c0b7b4cdb8848264962ab20ef48b3e00704?theme=dark", "https://www.virustotal.com/gui/collection/f1139bc311b44effd63c5f3c895386ffb5a15c012d0e1b3efcdad7a9f43af977/iocs", "https://www.virustotal.com/gui/collection/c42190433e95fe4960d3c57ec81e869fd063c7c98fe08de1e61c5c7b82ce7951/iocs", "https://www.virustotal.com/gui/collection/c01ec3ced8ca33a975e8f41324fe1f9cf2a3e5682137084e8f61c09d3121c3c8/iocs", "https://www.virustotal.com/gui/collection/3be31d72071834427b2c433fc5bf71a8288a47ed83012931ac676d56597415ce/iocs", "https://metadefender.com/results/file/bzI2MDUxMWc0TkVtTmRpT3g3eUh5VnhWTmZV", "https://www.virustotal.com/gui/file/caf6170928c2aa757b4b40593ee640353163e51777f1e41a2cb6e0e46c000b28/detection", "https://www.filescan.io/uploads/6a01fd27df14f1cb2ad02927/reports/5891da9f-7e53-46ae-a484-185895cae2d7/overview", "https://opentip.kaspersky.com/CAF6170928C2AA757B4B40593EE640353163E51777F1E41A2CB6E0E46C000B28/results?tab=upload", "https://yaraify.abuse.ch/scan/results/0890b04c-4d59-11f1-badc-42010aa4000b", "https://hybrid-analysis.com/file-collection/6a020a3c5aacd57afc0aa061" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21693, "FileHash-SHA1": 1413, "FileHash-SHA256": 1420, "domain": 26, "hostname": 24 }, "indicator_count": 24576, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b48ea78085bbda7a865868", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-12T22:04:09.704000", "created": "2026-03-13T22:24:39.736000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 14, "domain": 13, "hostname": 37 }, "indicator_count": 124, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "48 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b49187d33c6df06eed1b57", "name": "vxCube \u2014 Report", "description": "need to strudy sample furrher prelim look unauth. google cloud domain use", "modified": "2026-04-12T00:05:39.579000", "created": "2026-03-13T22:36:55.274000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4296, "FileHash-SHA1": 5, "URL": 6, "domain": 15, "hostname": 18, "FileHash-SHA256": 4 }, "indicator_count": 4344, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e9c8e63a72c7cb531a58ba", "name": "08.09.24 URLscanio 2 weeks.csv", "description": "", "modified": "2025-10-25T02:09:23.619000", "created": "2024-09-17T18:22:30.731000", "tags": [], "references": [ "https://x.com/NorrisN60014/status/1836092481978486802", "https://x.com/NorrisN60014/status/1836092481978486802", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 6, "URL": 1074, "domain": 1530, "email": 2, "hostname": 2849 }, "indicator_count": 5464, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bf266b6fcd9faea7066e4a", "name": "Malwarebytes - Compromised Host | Injector | Simba | System Hijacking", "description": "\"Bundled Files: Malwarebytes.Premium.prem.com:\nMalicious noses sound in Malwarebytes with capabilities to infect entire system, bios (all). Complete CnC. High priority malicious.\nALF:JASYP:PUAWin32/Bibado!atmn\nBackdoor.Win32.Shiz.ivr\nGeneric\nSimda\nVirTool:Win32/Injector.gen!BQ\nWin.Trojan.Agent-316098\nWin.Trojan.Agent-316117", "modified": "2024-09-15T07:02:25.374000", "created": "2024-08-16T10:14:03.907000", "tags": [ "historical ssl", "threat network", "infrastructure", "referrer", "adversaries", "information", "win32diskdrive", "win32processor", "windows", "registry run", "registers", "flow t1574", "dll sideloading", "powershell", "window", "modify registry", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 memory", "b0002 guard", "virtual machine", "detection b0009", "check registry", "check", "cnamazon rsa", "m02 oamazon", "number", "cus subject", "data", "m01 oamazon", "dns resolutions", "ip traffic", "memory pattern", "domains", "hashes", "user", "peexe c", "text c", "menu c", "menuprograms c", "games c", "text", "ttf c", "file system", "defender c", "desktop", "analyzer paste", "iocs", "hostnames", "url https", "samples", "generic malware", "tag count", "tue apr", "analyzer threat", "url summary", "ip summary", "summary", "sample", "first", "generic", "united", "mail spammer", "host", "cins active", "poor reputation", "detection list", "ip address", "blacklist", "malicious host", "team http", "cisco umbrella", "site", "safe site", "alexa top", "million", "fuery", "malware", "presenoker", "team", "riskware", "artemis", "passive dns", "as44273 host", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "unknown", "germany unknown", "bq aug", "virtool", "ipv4", "main", "related pulses", "file samples", "files matching", "show", "search", "date hash", "showing", "next", "win32", "nxdomain", "ip related", "gmt content", "type", "x frame", "sameorigin x", "xss protection", "encrypt", "asnone united", "title error", "pulse submit", "url analysis", "date", "status", "creation date", "name servers", "hostname", "urls http", "msie", "windows nt", "slcc2", "media center", "suspicious", "verisign", "simda", "copy", "possible", "class", "write", "code", "win32 exe", "available from", "services", "registry tech", "server", "registrar abuse", "dnssec", "registrant name", "ninite", "dns replication", "technology", "bq jun", "bq jul", "domain status", "domain name", "contact email", "contact phone", "full name", "algorithm", "v3 serial", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "avast avg", "entries", "exclusionpath", "created", "shell commands", "processes tree", "silent log", "norestart", "k wersvcgroup", "pss s", "k wsappx", "signals mutexes", "mutexes", "global", "synchronization", "dataset", "system property", "lookups", "select index", "macaddress", "adaptertypeid0", "win32bios", "index0", "where index0", "select uuid", "self-delete", "persistence", "macro-powershell", "long-sleeps", "calls-wmi", "checks-bios", "checks-disk-space", "checks-memory-available", "checks-network-adapters", "checks-usb-bus", "checks-user-input", "crypto", "detect-debug-environment", "dos batch", "file type", "pe resource", "malicious", "socks5systemz", "nushell", "autodiscovery", "cookietheft", "twitter ad", "dos batch file", "t1064 executes", "mitre att", "ta0002 command", "t1059 uses", "dlls privilege", "dlls defense", "evasion ta0005" ], "references": [ "Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip", "MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com", "Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep", "Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113", "Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements", "Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st", "Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems)", "Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea)", "Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems)", "VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e", "Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat", "IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0", "Yara Detections: generic_shellcode_downloader", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content", "Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "Win.Trojan.Istbar-231", "display_name": "Win.Trojan.Istbar-231", "target": null }, { "id": "ALF:JASYP:PUAWin32/Bibado!atmn", "display_name": "ALF:JASYP:PUAWin32/Bibado!atmn", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Backdoor.Win32.Shiz.ivr", "display_name": "Backdoor.Win32.Shiz.ivr", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Win.Trojan.Agent-316117", "display_name": "Win.Trojan.Agent-316117", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1848, "FileHash-MD5": 1826, "FileHash-SHA1": 1296, "domain": 152, "hostname": 265, "URL": 132, "email": 2 }, "indicator_count": 5521, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c52fe96ef88583efb8484f", "name": "Compromised Host - Malwarebytes | Injector | Simba | System Hijacking", "description": "", "modified": "2024-09-15T07:02:25.374000", "created": "2024-08-21T00:08:09.738000", "tags": [ "historical ssl", "threat network", "infrastructure", "referrer", "adversaries", "information", "win32diskdrive", "win32processor", "windows", "registry run", "registers", "flow t1574", "dll sideloading", "powershell", "window", "modify registry", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 memory", "b0002 guard", "virtual machine", "detection b0009", "check registry", "check", "cnamazon rsa", "m02 oamazon", "number", "cus subject", "data", "m01 oamazon", "dns resolutions", "ip traffic", "memory pattern", "domains", "hashes", "user", "peexe c", "text c", "menu c", "menuprograms c", "games c", "text", "ttf c", "file system", "defender c", "desktop", "analyzer paste", "iocs", "hostnames", "url https", "samples", "generic malware", "tag count", "tue apr", "analyzer threat", "url summary", "ip summary", "summary", "sample", "first", "generic", "united", "mail spammer", "host", "cins active", "poor reputation", "detection list", "ip address", "blacklist", "malicious host", "team http", "cisco umbrella", "site", "safe site", "alexa top", "million", "fuery", "malware", "presenoker", "team", "riskware", "artemis", "passive dns", "as44273 host", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "unknown", "germany unknown", "bq aug", "virtool", "ipv4", "main", "related pulses", "file samples", "files matching", "show", "search", "date hash", "showing", "next", "win32", "nxdomain", "ip related", "gmt content", "type", "x frame", "sameorigin x", "xss protection", "encrypt", "asnone united", "title error", "pulse submit", "url analysis", "date", "status", "creation date", "name servers", "hostname", "urls http", "msie", "windows nt", "slcc2", "media center", "suspicious", "verisign", "simda", "copy", "possible", "class", "write", "code", "win32 exe", "available from", "services", "registry tech", "server", "registrar abuse", "dnssec", "registrant name", "ninite", "dns replication", "technology", "bq jun", "bq jul", "domain status", "domain name", "contact email", "contact phone", "full name", "algorithm", "v3 serial", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "avast avg", "entries", "exclusionpath", "created", "shell commands", "processes tree", "silent log", "norestart", "k wersvcgroup", "pss s", "k wsappx", "signals mutexes", "mutexes", "global", "synchronization", "dataset", "system property", "lookups", "select index", "macaddress", "adaptertypeid0", "win32bios", "index0", "where index0", "select uuid", "self-delete", "persistence", "macro-powershell", "long-sleeps", "calls-wmi", "checks-bios", "checks-disk-space", "checks-memory-available", "checks-network-adapters", "checks-usb-bus", "checks-user-input", "crypto", "detect-debug-environment", "dos batch", "file type", "pe resource", "malicious", "socks5systemz", "nushell", "autodiscovery", "cookietheft", "twitter ad", "dos batch file", "t1064 executes", "mitre att", "ta0002 command", "t1059 uses", "dlls privilege", "dlls defense", "evasion ta0005" ], "references": [ "Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip", "MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com", "Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep", "Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113", "Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements", "Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st", "Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems)", "Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea)", "Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems)", "VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e", "Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat", "IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0", "Yara Detections: generic_shellcode_downloader", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content", "Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "Win.Trojan.Istbar-231", "display_name": "Win.Trojan.Istbar-231", "target": null }, { "id": "ALF:JASYP:PUAWin32/Bibado!atmn", "display_name": "ALF:JASYP:PUAWin32/Bibado!atmn", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Backdoor.Win32.Shiz.ivr", "display_name": "Backdoor.Win32.Shiz.ivr", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Win.Trojan.Agent-316117", "display_name": "Win.Trojan.Agent-316117", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "66bf266b6fcd9faea7066e4a", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1848, "FileHash-MD5": 1826, "FileHash-SHA1": 1296, "domain": 152, "hostname": 265, "URL": 132, "email": 2 }, "indicator_count": 5521, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mode.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mode.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780225283.1748745 }