{ "type": "Domain", "indicator": "openbitcoin.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/openbitcoin.org", "alexa": "http://www.alexa.com/siteinfo/openbitcoin.org", "indicator": "openbitcoin.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 982022346, "indicator": "openbitcoin.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68635823896b29555651547d", "name": "Trojan.Mybot-12000 | Parking Crew - Feebs Worm |", "description": "Feebs expansion didn\u2019t pulse the correct results. \nworm.feebs.ae \n#identified #active\nExpanded. Parking crews:\n\u2022 virus:Win32/Madang.A\n\u2022 Trojan.Mybot-12000\n\u2022 Win.Worm.Eggnog-6\n\u2022 Unruy\n\u2022 Worm.Picsys\n\u2022 worm:Win32/Mydoom.O!backdoor\n\u2022 Unruy\n\u2022 trojan:Win32/Phishbank.A\n\u2022 Win32:MultiPlug-ADL\\ [Adw]\n\u2022 DotNET_Crypto_Obfuscator\n\u2022 Worm.Feebs.AE Blocked by Quad9 - IRCbot \u2022 worm.feebs.ae \u2022 #dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #trojan #parkingcrew # domain #abuse #multi compromised #ping +\u2026 more", "modified": "2025-07-31T03:00:41.573000", "created": "2025-07-01T03:38:11.946000", "tags": [ "type name", "win32 exe", "graph summary", "search", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "indicator", "quad9", "ircbot", "ck ids", "t1140", "information", "t1060", "run keys", "startup", "folder" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 201, "FileHash-SHA1": 196, "FileHash-SHA256": 2723, "URL": 82, "domain": 183, "hostname": 439 }, "indicator_count": 3824, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68635826ef3c26c8f6546ad5", "name": "Trojan.Mybot-12000 | Parking Crew - Feebs Worm |", "description": "Feebs expansion didn\u2019t pulse the correct results. \nworm.feebs.ae \n#identified #active\nExpanded. Parking crews:\n\u2022 virus:Win32/Madang.A\n\u2022 Trojan.Mybot-12000\n\u2022 Win.Worm.Eggnog-6\n\u2022 Unruy\n\u2022 Worm.Picsys\n\u2022 worm:Win32/Mydoom.O!backdoor\n\u2022 Unruy\n\u2022 trojan:Win32/Phishbank.A\n\u2022 Win32:MultiPlug-ADL\\ [Adw]\n\u2022 DotNET_Crypto_Obfuscator\n\u2022 Worm.Feebs.AE Blocked by Quad9 - IRCbot \u2022 worm.feebs.ae \u2022 #dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #trojan #parkingcrew # domain #abuse #multi compromised #ping +\u2026 more\n\n(Cannot annotate)", "modified": "2025-07-31T03:00:41.573000", "created": "2025-07-01T03:38:14.229000", "tags": [ "type name", "win32 exe", "graph summary", "search", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "indicator", "quad9", "ircbot", "ck ids", "t1140", "information", "t1060", "run keys", "startup", "folder" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 201, "FileHash-SHA1": 196, "FileHash-SHA256": 2723, "URL": 82, "domain": 183, "hostname": 439 }, "indicator_count": 3824, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521d5a9eb677bcf1e0b2", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:29.977000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521f80ccde1b71d70787", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:31.831000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521fed1bb77251bfd931", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\nMALICIOUS. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:31.004000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686352205a51630fe27eb9ae", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:32.035000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f189aff81e9d7635584b0d", "name": "VBS[.]zip - 04.05.25", "description": "382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b - VBS[.]zip - 04.05.25", "modified": "2025-06-24T06:21:45.960000", "created": "2025-04-05T19:51:10.998000", "tags": [ "1996", "mm28", "mnsnj5o7dn7e", "msnvh", "mt1627120573", "mvi4", "shardbypassyes", "af81 http", "VBS" ], "references": [ "https://www.virustotal.com/gui/collection/7b031642a30f1ee179e901d885a09c9e285273ad8a0605f08b84e81b4f715ea3", "https://www.virustotal.com/graph/embed/gd8e70aa0638046c8af997e3e7fe529f1cfe2a121f5ca473880544f95a17eb56e?theme=dark", "https://www.virustotal.com/gui/collection/7b031642a30f1ee179e901d885a09c9e285273ad8a0605f08b84e81b4f715ea3/iocs", "https://tria.ge/240930-t6zdtsvfmk", "https://mwdb.cert.pl/file/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b", "https://jaffacakes118.dev/analysis/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b", "https://tip.neiki.dev/file/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 112, "FileHash-MD5": 33, "FileHash-SHA1": 31, "FileHash-SHA256": 168, "SSLCertFingerprint": 1, "domain": 19, "hostname": 80 }, "indicator_count": 444, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "https://tip.neiki.dev/file/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "https://mwdb.cert.pl/file/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Large DNS Query possible covert channel\t192.168.56.101", "https://www.virustotal.com/graph/embed/gd8e70aa0638046c8af997e3e7fe529f1cfe2a121f5ca473880544f95a17eb56e?theme=dark", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript", "https://www.virustotal.com/gui/collection/7b031642a30f1ee179e901d885a09c9e285273ad8a0605f08b84e81b4f715ea3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "https://tria.ge/240930-t6zdtsvfmk", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "https://jaffacakes118.dev/analysis/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b", "track.adminresourceupdate.com \u2022 postracking100.online", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "xxx.developer.android.com", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "https://www.virustotal.com/gui/collection/7b031642a30f1ee179e901d885a09c9e285273ad8a0605f08b84e81b4f715ea3/iocs", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Win.trojan.5229994-1", "#lowfi:trojan:js/auto59", "Win.malware.agent-6386296-0", "Taiwan", "Sabey", "Win32:vbmod\\ [trj]", "!execryptor_2.x.x" ], "industries": [ "Civil society", "Technology", "Healthcare", "Education", "Telecommunications", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68635823896b29555651547d", "name": "Trojan.Mybot-12000 | Parking Crew - Feebs Worm |", "description": "Feebs expansion didn\u2019t pulse the correct results. \nworm.feebs.ae \n#identified #active\nExpanded. Parking crews:\n\u2022 virus:Win32/Madang.A\n\u2022 Trojan.Mybot-12000\n\u2022 Win.Worm.Eggnog-6\n\u2022 Unruy\n\u2022 Worm.Picsys\n\u2022 worm:Win32/Mydoom.O!backdoor\n\u2022 Unruy\n\u2022 trojan:Win32/Phishbank.A\n\u2022 Win32:MultiPlug-ADL\\ [Adw]\n\u2022 DotNET_Crypto_Obfuscator\n\u2022 Worm.Feebs.AE Blocked by Quad9 - IRCbot \u2022 worm.feebs.ae \u2022 #dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #trojan #parkingcrew # domain #abuse #multi compromised #ping +\u2026 more", "modified": "2025-07-31T03:00:41.573000", "created": "2025-07-01T03:38:11.946000", "tags": [ "type name", "win32 exe", "graph summary", "search", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "indicator", "quad9", "ircbot", "ck ids", "t1140", "information", "t1060", "run keys", "startup", "folder" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 201, "FileHash-SHA1": 196, "FileHash-SHA256": 2723, "URL": 82, "domain": 183, "hostname": 439 }, "indicator_count": 3824, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68635826ef3c26c8f6546ad5", "name": "Trojan.Mybot-12000 | Parking Crew - Feebs Worm |", "description": "Feebs expansion didn\u2019t pulse the correct results. \nworm.feebs.ae \n#identified #active\nExpanded. Parking crews:\n\u2022 virus:Win32/Madang.A\n\u2022 Trojan.Mybot-12000\n\u2022 Win.Worm.Eggnog-6\n\u2022 Unruy\n\u2022 Worm.Picsys\n\u2022 worm:Win32/Mydoom.O!backdoor\n\u2022 Unruy\n\u2022 trojan:Win32/Phishbank.A\n\u2022 Win32:MultiPlug-ADL\\ [Adw]\n\u2022 DotNET_Crypto_Obfuscator\n\u2022 Worm.Feebs.AE Blocked by Quad9 - IRCbot \u2022 worm.feebs.ae \u2022 #dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #trojan #parkingcrew # domain #abuse #multi compromised #ping +\u2026 more\n\n(Cannot annotate)", "modified": "2025-07-31T03:00:41.573000", "created": "2025-07-01T03:38:14.229000", "tags": [ "type name", "win32 exe", "graph summary", "search", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "entries", "indicator", "quad9", "ircbot", "ck ids", "t1140", "information", "t1060", "run keys", "startup", "folder" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 201, "FileHash-SHA1": 196, "FileHash-SHA256": 2723, "URL": 82, "domain": 183, "hostname": 439 }, "indicator_count": 3824, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521d5a9eb677bcf1e0b2", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:29.977000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521f80ccde1b71d70787", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:31.831000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863521fed1bb77251bfd931", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\nMALICIOUS. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:31.004000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686352205a51630fe27eb9ae", "name": "Parking Crew - Feebs Worm | Domain Abuse |", "description": "worm.feebs.ae Expanded.\nParking crews monetize malicious DGA domains for large amounts of money. Hosting can last a minute to hours , months days at a time. Governments also use these types of services if conducting a targeted investigation. In this one instance , it would me unethical , silencing , aiding, maligning, conspiracy or \u201ccollusion\u201d.\n\nSuper malicious. Found in network investigation of a malicious internet at an Upscale Denver Complex that was once a hospital . There is even has a Reddit threat about how bad the internet is. There is so much maliciousness to review before speaking.\n#network#dga #trojan #parkingcrew # domain #abuse #multi compromised", "modified": "2025-07-31T02:02:26.079000", "created": "2025-07-01T03:12:32.035000", "tags": [ "feebs", "type name", "win32 exe", "graph summary" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 402, "domain": 151, "URL": 83, "FileHash-MD5": 163, "FileHash-SHA1": 160, "FileHash-SHA256": 1646 }, "indicator_count": 2605, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f189aff81e9d7635584b0d", "name": "VBS[.]zip - 04.05.25", "description": "382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b - VBS[.]zip - 04.05.25", "modified": "2025-06-24T06:21:45.960000", "created": "2025-04-05T19:51:10.998000", "tags": [ "1996", "mm28", "mnsnj5o7dn7e", "msnvh", "mt1627120573", "mvi4", "shardbypassyes", "af81 http", "VBS" ], "references": [ "https://www.virustotal.com/gui/collection/7b031642a30f1ee179e901d885a09c9e285273ad8a0605f08b84e81b4f715ea3", "https://www.virustotal.com/graph/embed/gd8e70aa0638046c8af997e3e7fe529f1cfe2a121f5ca473880544f95a17eb56e?theme=dark", "https://www.virustotal.com/gui/collection/7b031642a30f1ee179e901d885a09c9e285273ad8a0605f08b84e81b4f715ea3/iocs", "https://tria.ge/240930-t6zdtsvfmk", "https://mwdb.cert.pl/file/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b", "https://jaffacakes118.dev/analysis/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b", "https://tip.neiki.dev/file/382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 112, "FileHash-MD5": 33, "FileHash-SHA1": 31, "FileHash-SHA256": 168, "SSLCertFingerprint": 1, "domain": 19, "hostname": 80 }, "indicator_count": 444, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "openbitcoin.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "openbitcoin.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780334959.5774565 }