{ "type": "Domain", "indicator": "office.de", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/office.de", "alexa": "http://www.alexa.com/siteinfo/office.de", "indicator": "office.de", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2449888394, "indicator": "office.de", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69ce1c7b60a3065cc75b7e23", "name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?", "description": "", "modified": "2026-04-21T05:29:42.247000", "created": "2026-04-02T07:36:27.829000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": "698f07428f6e35876e034e41", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f07428f6e35876e034e41", "name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026", "description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "modified": "2026-03-15T10:19:15.579000", "created": "2026-02-13T11:13:03.870000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682874fe0c1ffb595c485d39", "name": "http_vgt.pl_admin.gname.net_content.html 77b20b5cd41bc6bb475cca3f91ae6e3c", "description": "VGT.pl Franas.A Z\u0142odziej jakich ma\u0142o, s\u0105 4K plik\u00f3w allegro ( oszustwa , machlojki itd)\nhttps://www.virustotal.com/gui/file/5511a9b9f9144ed7bde4ccb074733b7c564d918d2a8https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=d7293ed6e3c6856f7d5bc23f60f0fa2f2c16fb99b10d391afc6be5b3b1509/relations", "modified": "2025-06-20T10:03:27.328000", "created": "2025-05-17T11:37:34.134000", "tags": [ "sha1", "sha512", "sha256" ], "references": [ "MD5 77b20b5cd41bc6bb475cca3f91ae6e3c", "SHA1 9e98ace72bd2ab931341427a856ef4cea6faf806", "\u201ec:\\program files\\internet explorer\\iexplore.exe\u201d SCODEF:2820 CREDAT:79873", "VGT INTERNET - pozycjonowanie, serwery, domena, strony www, poligrafia", "c:\\u\u017cytkownicy\\administrator\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 877, "FileHash-MD5": 1455, "FileHash-SHA256": 3502, "CVE": 5, "domain": 351, "hostname": 1459, "URL": 2343, "IPv4": 1, "CIDR": 1 }, "indicator_count": 9994, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cbb85a6cfde70987049f81", "name": "Hijacked Android: CryptInject | Dridex | Spyware", "description": "Hijacked basic android phone purchased in US directly from vendor not carrier. Spyware, SQL and other malware found. \nIt's a bit confusing IC3 is typically synonymous with United States FBI cyber security complaint division. Issue appear to be originating from China. This is interesting. Microsoft Teams CN have login, password, account, modification privileges as well as an 'audience'. \nVictim contacted IC3, received no response when contacting IC3 from personal devices. Calls are being made from phone as well as many other intrusive activities.\nOriginated from an IP address found on phone with a SWIPPER dba Verizon Business with a Hurricane Electric BGP relationship.", "modified": "2024-09-24T21:00:32.174000", "created": "2024-08-25T23:03:54.460000", "tags": [ "windows", "service", "shellexecuteexw", "writeconsolew", "registry", "modify existing", "dock", "write", "malware", "binary_yara", "yara rule", "binary file", "all scoreblue", "av detections", "ids detections", "yara detections", "alerts", "all search", "otx scoreblue", "analysis date", "risk", "show", "filehash", "april", "trojanspy", "file score", "june", "passive dns", "urls", "hostname", "url analysis", "domain", "china unknown", "as133775", "as4847 china", "united", "as4811 china", "as4837 china", "as54994 quantil", "as133774", "cname", "aaaa", "as20940", "registrar", "unknown related", "pulses otx", "tags", "present", "issuer cus", "odigicert inc", "road", "beijing country", "blue cloud", "apnic person", "cn phone", "ip information", "quick stats", "ip location", "china", "ltd asn", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "apnic irt", "beijing email", "whois lookups", "country", "filtered role", "abuse cnniccn", "algorithm", "key usage", "first", "v3 serial", "number", "cus odigicert", "inc cndigicert", "basic rsa", "cn ca", "g2 validity", "status hostname", "query type", "address first", "seen last", "country unknown", "files ip", "sql client", "historical ssl", "referrer", "win32", "entries", "scan endpoints", "pulse pulses", "copy" ], "references": [ "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:AGGR:Mytonel_Obfuscator", "display_name": "ALF:AGGR:Mytonel_Obfuscator", "target": null }, { "id": "Win.Malware.Generic-9870238-0", "display_name": "Win.Malware.Generic-9870238-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Malware.Zusy-9875693-0", "display_name": "Win.Malware.Zusy-9875693-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "target": null }, { "id": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "display_name": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1673, "FileHash-SHA1": 1344, "FileHash-SHA256": 3753, "domain": 224, "hostname": 613, "URL": 490, "email": 8, "CIDR": 1 }, "indicator_count": 8106, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "COPYING.linux", "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs", "config-5.15.44-Re4son-v8l+", "config.txt", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v7l+", "theme.txt", "c:\\u\u017cytkownicy\\administrator\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "cmdline.txt", "README", "\u201ec:\\program files\\internet explorer\\iexplore.exe\u201d SCODEF:2820 CREDAT:79873", "VGT INTERNET - pozycjonowanie, serwery, domena, strony www, poligrafia", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "config-5.15.44-Re4son-v7+", "grub_background.sh", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "config-5.15.44-Re4son-v8+", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "LICENCE.broadcom", "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "MD5 77b20b5cd41bc6bb475cca3f91ae6e3c", "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "SHA1 9e98ace72bd2ab931341427a856ef4cea6faf806", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win.malware.generic-9870238-0", "Win.malware.zusy-9875693-0", "Alf:aggr:mytonel_obfuscator", "Alf:heraklezeval:trojanspy:win32/rebhip.f", "Alf:jasyp:virtool:msil/cryptinject!atmn", "Trojanspy", "Alf:heraklezeval:trojandownloader:win32/dridex!rfn" ], "industries": [ "Telecommunications", "Finance", "Transportation", "Healthcare", "Education", "Government", "Agriculture" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69ce1c7b60a3065cc75b7e23", "name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?", "description": "", "modified": "2026-04-21T05:29:42.247000", "created": "2026-04-02T07:36:27.829000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": "698f07428f6e35876e034e41", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f07428f6e35876e034e41", "name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026", "description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "modified": "2026-03-15T10:19:15.579000", "created": "2026-02-13T11:13:03.870000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682874fe0c1ffb595c485d39", "name": "http_vgt.pl_admin.gname.net_content.html 77b20b5cd41bc6bb475cca3f91ae6e3c", "description": "VGT.pl Franas.A Z\u0142odziej jakich ma\u0142o, s\u0105 4K plik\u00f3w allegro ( oszustwa , machlojki itd)\nhttps://www.virustotal.com/gui/file/5511a9b9f9144ed7bde4ccb074733b7c564d918d2a8https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=d7293ed6e3c6856f7d5bc23f60f0fa2f2c16fb99b10d391afc6be5b3b1509/relations", "modified": "2025-06-20T10:03:27.328000", "created": "2025-05-17T11:37:34.134000", "tags": [ "sha1", "sha512", "sha256" ], "references": [ "MD5 77b20b5cd41bc6bb475cca3f91ae6e3c", "SHA1 9e98ace72bd2ab931341427a856ef4cea6faf806", "\u201ec:\\program files\\internet explorer\\iexplore.exe\u201d SCODEF:2820 CREDAT:79873", "VGT INTERNET - pozycjonowanie, serwery, domena, strony www, poligrafia", "c:\\u\u017cytkownicy\\administrator\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 877, "FileHash-MD5": 1455, "FileHash-SHA256": 3502, "CVE": 5, "domain": 351, "hostname": 1459, "URL": 2343, "IPv4": 1, "CIDR": 1 }, "indicator_count": 9994, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cbb85a6cfde70987049f81", "name": "Hijacked Android: CryptInject | Dridex | Spyware", "description": "Hijacked basic android phone purchased in US directly from vendor not carrier. Spyware, SQL and other malware found. \nIt's a bit confusing IC3 is typically synonymous with United States FBI cyber security complaint division. Issue appear to be originating from China. This is interesting. Microsoft Teams CN have login, password, account, modification privileges as well as an 'audience'. \nVictim contacted IC3, received no response when contacting IC3 from personal devices. Calls are being made from phone as well as many other intrusive activities.\nOriginated from an IP address found on phone with a SWIPPER dba Verizon Business with a Hurricane Electric BGP relationship.", "modified": "2024-09-24T21:00:32.174000", "created": "2024-08-25T23:03:54.460000", "tags": [ "windows", "service", "shellexecuteexw", "writeconsolew", "registry", "modify existing", "dock", "write", "malware", "binary_yara", "yara rule", "binary file", "all scoreblue", "av detections", "ids detections", "yara detections", "alerts", "all search", "otx scoreblue", "analysis date", "risk", "show", "filehash", "april", "trojanspy", "file score", "june", "passive dns", "urls", "hostname", "url analysis", "domain", "china unknown", "as133775", "as4847 china", "united", "as4811 china", "as4837 china", "as54994 quantil", "as133774", "cname", "aaaa", "as20940", "registrar", "unknown related", "pulses otx", "tags", "present", "issuer cus", "odigicert inc", "road", "beijing country", "blue cloud", "apnic person", "cn phone", "ip information", "quick stats", "ip location", "china", "ltd asn", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "apnic irt", "beijing email", "whois lookups", "country", "filtered role", "abuse cnniccn", "algorithm", "key usage", "first", "v3 serial", "number", "cus odigicert", "inc cndigicert", "basic rsa", "cn ca", "g2 validity", "status hostname", "query type", "address first", "seen last", "country unknown", "files ip", "sql client", "historical ssl", "referrer", "win32", "entries", "scan endpoints", "pulse pulses", "copy" ], "references": [ "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:AGGR:Mytonel_Obfuscator", "display_name": "ALF:AGGR:Mytonel_Obfuscator", "target": null }, { "id": "Win.Malware.Generic-9870238-0", "display_name": "Win.Malware.Generic-9870238-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Malware.Zusy-9875693-0", "display_name": "Win.Malware.Zusy-9875693-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "target": null }, { "id": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "display_name": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1673, "FileHash-SHA1": 1344, "FileHash-SHA256": 3753, "domain": 224, "hostname": 613, "URL": 490, "email": 8, "CIDR": 1 }, "indicator_count": 8106, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "office.de", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "office.de", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780342927.5824544 }