{ "type": "Domain", "indicator": "openssl.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/openssl.org", "alexa": "http://www.alexa.com/siteinfo/openssl.org", "indicator": "openssl.org", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain openssl.org", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain openssl.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 982266462, "indicator": "openssl.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889153bb756c703bd61c97d", "name": "Calisto - APT - 07.29.25 - UA ChromeBook Retro", "description": "Maldoc Calisto - 03.17.23\nRetroanalysis of a simple test to demonstrate a point (had some extensions to capture data). Borrowed a Google Chromebook From University of Alberta & signed in to my CCID on Campus with the Chromebook provided by Office of DOS (provided to them by 'offside IT'. Chromebook did not do so well. Returned. \n\nMAL_PDF_Calisto_PDF_Streams_Jul_09 (Threatzone)\nThis supports findings from Beehive Security who later blocked Calisto/Callisto with their MDR Solution.", "modified": "2025-09-03T00:22:10.750000", "created": "2025-07-29T18:38:51.647000", "tags": [ "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "download submit", "sha512", "sha1", "filesize", "sha256", "file", "token", "prefetch8", "prefetch1", "dataprofile", "general", "config", "download", "copy", "target", "defense", "generic", "impact", "virus", "trojan", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "platform", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "service", "privacy policy", "found url", "ck id", "details found", "ingress tool", "transfer", "t1105", "details url", "t1571", "pdf found", "found", "contentparse", "externalparser", "woff2", "inputfile", "domainresolve", "u200c200d", "u25cc", "ioc value", "Callisto", "Maldoc", "UAlberta", "U of A", "Chromebook", "Microsoft", "Google", "Telus", "Calisto", "APT" ], "references": [ "https://tria.ge/250729-wr59yabk7y/behavioral2", "https://www.filescan.io/uploads/68890e2dc79df08ef097cd38/reports/06923db6-30ae-455f-8026-73461cc1472e/overview", "https://hybrid-analysis.com/sample/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "https://metadefender.com/results/file/YTI1MDcyOXl4LTdxa1I5ZlVJNGVsWTRUS2kz_mdaas", "https://polyswarm.network/scan/results/file/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce", "https://app.threat.zone/submission/5879c4fe-ce35-45c3-8a3c-e8c06d0e2b2d/overview", "https://tip.neiki.dev/file/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "https://www.virustotal.com/gui/file/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "https://www.virustotal.com/gui/file-analysis/MTllN2NiNTVkMGQ1MTYzNGY0OTg4MGY2MmRiYmNjYzg6MTc1MzgxNDIzNQ==", "https://vtbehaviour.commondatastorage.googleapis.com/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1753815427&Signature=BM1MWONwwKd011yMi5XzJJHo01QYs0qWdERlFPM9BGS4OW62YRzI4FX6aMwA6MgQB2eLDnMBjwIYw2ct1yC2HAzJ82eh6VqtBu%2BiE6lObCQjjON9nx29EKx9dGSRLewI3Zjpp7Kbokc%2FIKEh40ZNmeXNc4aCsECY%2Fwq9FQOmT2vm8Bi6IHzZNBMT3srLRZsr%2Bo36MP6ckdybeglLLnb9LA5iEOYbMBMEq6HxMj%2BfLIssDjKInHz7", "https://hybrid-analysis.com/sample/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce/6889105954703efa4303f7c7", "https://malpedia.caad.fkie.fraunhofer.de/actor/callisto" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "MAL_PDF_Calisto_PDF_Streams_Jul_09", "display_name": "MAL_PDF_Calisto_PDF_Streams_Jul_09", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6319, "CIDR": 11, "CVE": 9, "FileHash-MD5": 323, "FileHash-SHA1": 260, "FileHash-SHA256": 292, "domain": 596, "email": 37, "hostname": 806 }, "indicator_count": 8653, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686df81130f94fff809dd8b7", "name": "T-Mobile Service- 23.185.0.2 - Mirai", "description": "", "modified": "2025-08-08T04:05:03.809000", "created": "2025-07-09T05:03:13.536000", "tags": [ "germany unknown", "passive dns", "invalid url", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "frankfurt", "main", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr11", "validity", "public key", "info", "south korea", "united", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "high", "as701 verizon", "malware", "copy", "name jim", "zemlin name", "letterman dr", "address bldg", "d ste", "date", "dnssec", "record value", "emails", "address", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jul", "present showing", "entries related", "domains show", "present jun", "search", "enom", "creation date", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 178, "FileHash-SHA1": 180, "FileHash-SHA256": 2435, "hostname": 644, "domain": 603, "URL": 585, "email": 3 }, "indicator_count": 4628, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853692cc1a1795b9f321422", "name": "Custom Power Wheelchairs | Misc Attack includes Emotet", "description": "", "modified": "2025-07-19T01:04:02.740000", "created": "2025-06-19T01:34:36.575000", "tags": [ "no expiration", "filehashsha256", "expiration", "url https", "filehashmd5", "filehashsha1", "domain", "hostname", "ipv4", "iocs", "url http", "create new", "pulse use", "pdf report", "pcap", "stix", "drop", "review iocs", "pulse show", "enter source", "url or", "search", "type indicator", "role title", "related pulses", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-MD5": 351, "FileHash-SHA1": 328, "FileHash-SHA256": 396, "URL": 176, "domain": 94, "hostname": 75, "email": 2, "SSLCertFingerprint": 1 }, "indicator_count": 1426, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683614d951f4e789950071b3", "name": "Malicious blockade", "description": "Malicious blockade, redirecting, bot activity affecting client-firm/entity interactions (outreach organizations, legal, possibly educational\u2018 doubtful ) Botnet & monitoring\u2026my OTX profile is not working to it\u2019s full capacity. I am unable to do anything except upload and post in description.\nIPv4\n141.193.213.10\ncommand_and_control || IPv4\n142.250.150.26\nexploit_source || IPv4\n142.251.16.26\nexploit_source || IPv4\n142.251.163.26\nexploit_source ||\nhttps://crimestoppers.ab.ca\nphishing\t|| IPv4\n142.250.27.27 || Alerts - injection_inter_process\ncreates_largekey\nnetwork_bind\npersistence_autorun\npersistence_autorun_tasks\ncape_detected_threat\ninjection_process_hollowing\nantivm_generic_services\ndeletes_executed_files\ndeletes_self\ninjection_runpe\nIndirect_Command_Execution_Via_ConsoleWindowHost\npersistence_ads\nrecon_fingerprint\nsuspicious_command ||", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:39:05.470000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361628539ed40883b8ee66", "name": "Cycbot | Prevents affected individuals from contacting intended entities ", "description": "", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:44:40.311000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "683614d951f4e789950071b3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6830195570ff424c5f8466ff", "name": "http://www.linkedin.com", "description": "The following is a full list of details about the security breaches in the social networking site, which have now been reported to the US and European authorities, as well as to those who have used them.", "modified": "2025-05-30T18:15:23.148000", "created": "2025-05-23T06:44:37.100000", "tags": [ "secure server", "digicert sha2", "root ca", "digicert ecc", "sv ca", "thawte sgc", "ngaa tyumen", "valid txkj", "digicert secure", "server ca" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 87, "URL": 13, "hostname": 6, "SSLCertFingerprint": 96, "domain": 4 }, "indicator_count": 206, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cec16f4b510d325dc923a1", "name": "192.70.175.110 - ELF:Hajime-Q _ Mirai Botnet Malware", "description": "Private IP 192.70.175.110 | Reverse DNS\ndns1.state.co.us showed Mirai Bonet Malware. Under same IP address is an 'alleged' unknown REGRU-RU Passive DNS ns1.ns2.www.madunixxx.ru with a password compromise \u00bb PSW.Generic12.WIO. \nIt's unclear if a Frank Muccio Admin of Security Operations doesn't appear to work on premise in Colorado, There is a Frank Di Muccio SGT involved with RallyPoint, , described as a social group for military personal. Rally Point was seen in very early graphs featuring alleged Rallypoint Pornhub Devs, tied to Brian Sabey. I wasn't able to personally verify this employee in Colorado Possibly contracted OIT by state . The link was recently whitelisted.", "modified": "2024-09-27T03:03:09.340000", "created": "2024-08-28T06:19:27.154000", "tags": [ "as36081 state", "location united", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "mirai", "united states", "united", "ave suite", "purpose p5", "country united", "code us", "name security", "nexus category", "phone number", "postal code", "network", "number", "country us", "continent na", "algorithm", "data", "v3 serial", "cus oapple", "public ev", "server ecc", "g1 validity", "organization", "subject public", "rauschenberg", "apple computer", "applec1z", "mitre att", "evasion ta0005", "hashes", "msie", "windows nt", "wow64", "slcc2", "media center", "response", "request", "accept", "location https", "taiwan as3462", "south korea", "as4766 korea", "high", "japan as17676", "china as45090", "http", "search", "contacted", "malware", "copy", "as41231", "united kingdom", "status", "aaaa", "ddos", "whitelisted", "certificate", "moved", "trojan", "virtool", "encrypt", "software", "initial", "passive dns", "scan endpoints", "all scoreblue", "body", "a domains", "linux ubuntu", "creation date", "enterprise open", "ubuntu", "linux", "social", "window", "code", "ipv4", "urls", "files", "reverse dns", "trojan features", "file samples", "files matching", "date hash", "domain", "address", "name servers", "servers", "intel", "icmp traffic", "dead_host", "network_icmp", "osquery_detection", "nolookup_communication", "pulse pulses", "unknown", "as20940", "as15169 google", "dns show", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "province co", "error", "tr tr", "pulse submit", "url analysis", "hostname", "files ip", "asnone united", "ireland unknown", "brazil unknown", "next", "showing", "gmt content", "apache cache", "pragma", "record value", "trojanproxy", "win32", "title", "server", "alf features", "related pulses", "show", "ip address", "asn as16509", "china unknown", "hichina", "hong kong", "as133775 xiamen", "web server", "authentication", "tls web", "full name", "ca issuers", "as44273 host", "a nxdomain", "avast avg", "russia unknown", "germany unknown", "turkey unknown", "japan unknown", "as16276", "france unknown", "service", "ck ids", "t1082", "t1129", "modules", "t1045", "packing", "t1060", "run keys", "startup" ], "references": [ "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0", "Unix.Trojan.Mirai-6976991-0 FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]", "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru", "Yara: Mirai_Botnet_Malware", "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom", "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21", "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO", "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us", "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]", "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a", "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru", "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive", "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru Created: Jun 19, 2016", "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com", "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 | ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |", "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com", "Yara Detections Mirai_Botnet_Malware", "Detections Executable and linking format (ELF) file download Over HTTP", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "Detections Executable and linking format (ELF) file download Over HTTP", "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College" ], "public": 1, "adversary": "Frank Di MuccioSGT", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "DDoS:Linux/Lightaidra", "display_name": "DDoS:Linux/Lightaidra", "target": "/malware/DDoS:Linux/Lightaidra" }, { "id": "Trojan:Win32/Skeeyah", "display_name": "Trojan:Win32/Skeeyah", "target": "/malware/Trojan:Win32/Skeeyah" }, { "id": "ALF:Trojan:Win32/FlyStudio.PA!MTB", "display_name": "ALF:Trojan:Win32/FlyStudio.PA!MTB", "target": null }, { "id": "Win.Trojan.Tofsee-6840338-0", "display_name": "Win.Trojan.Tofsee-6840338-0", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "PSW.Generic12.WIO", "display_name": "PSW.Generic12.WIO", "target": null }, { "id": "ELF:Hajime-Q", "display_name": "ELF:Hajime-Q", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Telecommunications", "Government", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1108, "hostname": 627, "domain": 628, "URL": 534, "FileHash-MD5": 377, "FileHash-SHA1": 373, "email": 12, "CIDR": 2, "SSLCertFingerprint": 2 }, "indicator_count": 3663, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6684ddb81f457884672174ce", "name": "Suss & Suspicious dlls", "description": "The full text of the dlls - 07.02.24 - has been published on the website of MSPs.bing.mm.net, with the title \"msedge\". (autopop)\nNoVirusThanks dll Tool:\n13 Suspicious - Threw these into VT -> Made a pretty Graph -> Added to VT Collection\n74 unsigned - didn't touch on these so much (cert probs)\nOG Log File:\n902414559e7f9184ed74685e6ad34ed59abe865bd75f6bc8233da00389d776b4\n07.02.24 - dos - DLLExplorer.log -> Tossed into AlienVault w. the VT Collection and some magic happened", "modified": "2024-08-23T15:00:34.872000", "created": "2024-07-03T05:12:24.970000", "tags": [ "entity", "please", "javascript", "suss", "hidden", "false file", "description", "hash", "suspicious", "duck duck", "comodo security", "solutions", "inc hash", "intel", "compiler", "loader" ], "references": [ "https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph", "07.02.24 - dos - DLLExplorer.log" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [ "Technology", "Education", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3627, "FileHash-SHA1": 937, "FileHash-SHA256": 28560, "hostname": 5477, "domain": 8215, "URL": 10147, "email": 7, "CIDR": 2 }, "indicator_count": 56972, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "647 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657083fdc68c74974fe8a9fb", "name": "cass.ballottrax.net:voter:%22", "description": "", "modified": "2023-12-06T14:23:56.285000", "created": "2023-12-06T14:23:56.285000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 640, "hostname": 145, "domain": 121, "URL": 510, "CIDR": 5, "FileHash-MD5": 10 }, "indicator_count": 1431, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707f8475d8a8785dfc5a2f", "name": "Zetalytics API", "description": "", "modified": "2023-12-06T14:04:52.250000", "created": "2023-12-06T14:04:52.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 754, "hostname": 833, "domain": 441, "URL": 2375, "CIDR": 5, "FileHash-MD5": 2, "email": 1 }, "indicator_count": 4411, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231eff11998f0376e1e3edf", "name": "cass.ballottrax.net:voter:%22", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T14:10:57.861000", "tags": [], "references": [ "cass.ballottrax.net:voter:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 511, "hostname": 145, "domain": 121, "FileHash-SHA256": 640, "CIDR": 5, "FileHash-MD5": 10 }, "indicator_count": 1432, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621bc3aa050a6c5693595f25", "name": "Zetalytics API", "description": "", "modified": "2022-03-29T00:03:34.773000", "created": "2022-02-27T18:32:10.542000", "tags": [ "google", "google llc", "detected", "expand overall", "http", "amazonaes", "openssl", "lookup go", "rescan add", "verdict report", "behaviour", "june", "apache", "search url", "search domain", "scan url", "url search", "domain scan", "url url", "us summary", "line", "google maps", "api warning", "redirects links", "similar dom", "content api", "domains", "Ransomware" ], "references": [ "zetalytics .pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "display_name": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "target": null }, { "id": "Trojan:Win32/Danabot.G", "display_name": "Trojan:Win32/Danabot.G", "target": "/malware/Trojan:Win32/Danabot.G" }, { "id": "Backdoor:Win32/Poison.E", "display_name": "Backdoor:Win32/Poison.E", "target": "/malware/Backdoor:Win32/Poison.E" }, { "id": "ALF:PUA:Block:IObit.R!MTB", "display_name": "ALF:PUA:Block:IObit.R!MTB", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 754, "URL": 2375, "domain": 441, "hostname": 833, "CIDR": 5, "FileHash-MD5": 2, "email": 1 }, "indicator_count": 4411, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1525 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com", "cass.ballottrax.net:voter:%22,.pdf", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "https://vtbehaviour.commondatastorage.googleapis.com/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1753815427&Signature=BM1MWONwwKd011yMi5XzJJHo01QYs0qWdERlFPM9BGS4OW62YRzI4FX6aMwA6MgQB2eLDnMBjwIYw2ct1yC2HAzJ82eh6VqtBu%2BiE6lObCQjjON9nx29EKx9dGSRLewI3Zjpp7Kbokc%2FIKEh40ZNmeXNc4aCsECY%2Fwq9FQOmT2vm8Bi6IHzZNBMT3srLRZsr%2Bo36MP6ckdybeglLLnb9LA5iEOYbMBMEq6HxMj%2BfLIssDjKInHz7", "Yara: Mirai_Botnet_Malware", "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive", "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us", "https://malpedia.caad.fkie.fraunhofer.de/actor/callisto", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru Created: Jun 19, 2016", "https://tria.ge/250729-wr59yabk7y/behavioral2", "Unix.Trojan.Mirai-6976991-0 FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]", "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO", "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a", "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "Yara Detections Mirai_Botnet_Malware", "https://www.filescan.io/uploads/68890e2dc79df08ef097cd38/reports/06923db6-30ae-455f-8026-73461cc1472e/overview", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com", "https://hybrid-analysis.com/sample/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21", "https://n0paste.eu/UH6n5pD/", "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 | ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |", "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs", "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]", "https://metadefender.com/results/file/YTI1MDcyOXl4LTdxa1I5ZlVJNGVsWTRUS2kz_mdaas", "https://app.threat.zone/submission/5879c4fe-ce35-45c3-8a3c-e8c06d0e2b2d/overview", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0", "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://hybrid-analysis.com/sample/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce/6889105954703efa4303f7c7", "https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark", "zetalytics .pdf", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "https://polyswarm.network/scan/results/file/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce", "https://tip.neiki.dev/file/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph", "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom", "Detections Executable and linking format (ELF) file download Over HTTP", "https://www.virustotal.com/gui/file/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "07.02.24 - dos - DLLExplorer.log", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary", "https://www.virustotal.com/gui/file-analysis/MTllN2NiNTVkMGQ1MTYzNGY0OTg4MGY2MmRiYmNjYzg6MTc1MzgxNDIzNQ==", "www.crackedmindstechnologies.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Frank Di MuccioSGT" ], "malware_families": [ "Psw.generic12.wio", "Trojanspy:win32/invader.s!msr", "Mal_pdf_calisto_pdf_streams_jul_09", "Elf:hajime-q", "Trojan:win32/skeeyah", "Win.virus.polyransom-5704625-0", "Botnet", "#lowfienabledtcontinueafterunpacking", "Trojan:win32/danabot.g", "Worm:win32/mydoom.o!backdoor", "Win.trojan.tofsee-6840338-0", "Cycbot", "Et", "Win32:cryptor", "Alf:trojan:win32/flystudio.pa!mtb", "Alf:pua:block:iobit.r!mtb", "Gandcrab", "Worm:win32/bloored.e", "Ddos:linux/lightaidra", "Mirai", "Backdoor:win32/poison.e", "Telper:cert:softwarebundler:win32/bunpredelt", "Win32:kukacka", "Win.malware.snojan-6775202-0", "Trojanspy:win32/nivdort.aj", "Virus:win32/sality.at" ], "industries": [ "Technology", "Government", "Telecommunications", "Education", "Healthcare", "Civilian society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889153bb756c703bd61c97d", "name": "Calisto - APT - 07.29.25 - UA ChromeBook Retro", "description": "Maldoc Calisto - 03.17.23\nRetroanalysis of a simple test to demonstrate a point (had some extensions to capture data). Borrowed a Google Chromebook From University of Alberta & signed in to my CCID on Campus with the Chromebook provided by Office of DOS (provided to them by 'offside IT'. Chromebook did not do so well. Returned. \n\nMAL_PDF_Calisto_PDF_Streams_Jul_09 (Threatzone)\nThis supports findings from Beehive Security who later blocked Calisto/Callisto with their MDR Solution.", "modified": "2025-09-03T00:22:10.750000", "created": "2025-07-29T18:38:51.647000", "tags": [ "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "download submit", "sha512", "sha1", "filesize", "sha256", "file", "token", "prefetch8", "prefetch1", "dataprofile", "general", "config", "download", "copy", "target", "defense", "generic", "impact", "virus", "trojan", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "platform", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "service", "privacy policy", "found url", "ck id", "details found", "ingress tool", "transfer", "t1105", "details url", "t1571", "pdf found", "found", "contentparse", "externalparser", "woff2", "inputfile", "domainresolve", "u200c200d", "u25cc", "ioc value", "Callisto", "Maldoc", "UAlberta", "U of A", "Chromebook", "Microsoft", "Google", "Telus", "Calisto", "APT" ], "references": [ "https://tria.ge/250729-wr59yabk7y/behavioral2", "https://www.filescan.io/uploads/68890e2dc79df08ef097cd38/reports/06923db6-30ae-455f-8026-73461cc1472e/overview", "https://hybrid-analysis.com/sample/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "https://metadefender.com/results/file/YTI1MDcyOXl4LTdxa1I5ZlVJNGVsWTRUS2kz_mdaas", "https://polyswarm.network/scan/results/file/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce", "https://app.threat.zone/submission/5879c4fe-ce35-45c3-8a3c-e8c06d0e2b2d/overview", "https://tip.neiki.dev/file/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "https://www.virustotal.com/gui/file/2d0458cbda9297baf3d2f28bfa47a4872075a444ec68f30757ceec458f3aab2e", "https://www.virustotal.com/gui/file-analysis/MTllN2NiNTVkMGQ1MTYzNGY0OTg4MGY2MmRiYmNjYzg6MTc1MzgxNDIzNQ==", "https://vtbehaviour.commondatastorage.googleapis.com/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1753815427&Signature=BM1MWONwwKd011yMi5XzJJHo01QYs0qWdERlFPM9BGS4OW62YRzI4FX6aMwA6MgQB2eLDnMBjwIYw2ct1yC2HAzJ82eh6VqtBu%2BiE6lObCQjjON9nx29EKx9dGSRLewI3Zjpp7Kbokc%2FIKEh40ZNmeXNc4aCsECY%2Fwq9FQOmT2vm8Bi6IHzZNBMT3srLRZsr%2Bo36MP6ckdybeglLLnb9LA5iEOYbMBMEq6HxMj%2BfLIssDjKInHz7", "https://hybrid-analysis.com/sample/4c7d629d37665e74617cefe3e208a37b2042529cbbeb9a839a79e167919561ce/6889105954703efa4303f7c7", "https://malpedia.caad.fkie.fraunhofer.de/actor/callisto" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "MAL_PDF_Calisto_PDF_Streams_Jul_09", "display_name": "MAL_PDF_Calisto_PDF_Streams_Jul_09", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6319, "CIDR": 11, "CVE": 9, "FileHash-MD5": 323, "FileHash-SHA1": 260, "FileHash-SHA256": 292, "domain": 596, "email": 37, "hostname": 806 }, "indicator_count": 8653, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686df81130f94fff809dd8b7", "name": "T-Mobile Service- 23.185.0.2 - Mirai", "description": "", "modified": "2025-08-08T04:05:03.809000", "created": "2025-07-09T05:03:13.536000", "tags": [ "germany unknown", "passive dns", "invalid url", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "frankfurt", "main", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr11", "validity", "public key", "info", "south korea", "united", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "high", "as701 verizon", "malware", "copy", "name jim", "zemlin name", "letterman dr", "address bldg", "d ste", "date", "dnssec", "record value", "emails", "address", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jul", "present showing", "entries related", "domains show", "present jun", "search", "enom", "creation date", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 178, "FileHash-SHA1": 180, "FileHash-SHA256": 2435, "hostname": 644, "domain": 603, "URL": 585, "email": 3 }, "indicator_count": 4628, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853692cc1a1795b9f321422", "name": "Custom Power Wheelchairs | Misc Attack includes Emotet", "description": "", "modified": "2025-07-19T01:04:02.740000", "created": "2025-06-19T01:34:36.575000", "tags": [ "no expiration", "filehashsha256", "expiration", "url https", "filehashmd5", "filehashsha1", "domain", "hostname", "ipv4", "iocs", "url http", "create new", "pulse use", "pdf report", "pcap", "stix", "drop", "review iocs", "pulse show", "enter source", "url or", "search", "type indicator", "role title", "related pulses", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-MD5": 351, "FileHash-SHA1": 328, "FileHash-SHA256": 396, "URL": 176, "domain": 94, "hostname": 75, "email": 2, "SSLCertFingerprint": 1 }, "indicator_count": 1426, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683614d951f4e789950071b3", "name": "Malicious blockade", "description": "Malicious blockade, redirecting, bot activity affecting client-firm/entity interactions (outreach organizations, legal, possibly educational\u2018 doubtful ) Botnet & monitoring\u2026my OTX profile is not working to it\u2019s full capacity. I am unable to do anything except upload and post in description.\nIPv4\n141.193.213.10\ncommand_and_control || IPv4\n142.250.150.26\nexploit_source || IPv4\n142.251.16.26\nexploit_source || IPv4\n142.251.163.26\nexploit_source ||\nhttps://crimestoppers.ab.ca\nphishing\t|| IPv4\n142.250.27.27 || Alerts - injection_inter_process\ncreates_largekey\nnetwork_bind\npersistence_autorun\npersistence_autorun_tasks\ncape_detected_threat\ninjection_process_hollowing\nantivm_generic_services\ndeletes_executed_files\ndeletes_self\ninjection_runpe\nIndirect_Command_Execution_Via_ConsoleWindowHost\npersistence_ads\nrecon_fingerprint\nsuspicious_command ||", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:39:05.470000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361628539ed40883b8ee66", "name": "Cycbot | Prevents affected individuals from contacting intended entities ", "description": "", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:44:40.311000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "683614d951f4e789950071b3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6830195570ff424c5f8466ff", "name": "http://www.linkedin.com", "description": "The following is a full list of details about the security breaches in the social networking site, which have now been reported to the US and European authorities, as well as to those who have used them.", "modified": "2025-05-30T18:15:23.148000", "created": "2025-05-23T06:44:37.100000", "tags": [ "secure server", "digicert sha2", "root ca", "digicert ecc", "sv ca", "thawte sgc", "ngaa tyumen", "valid txkj", "digicert secure", "server ca" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 87, "URL": 13, "hostname": 6, "SSLCertFingerprint": 96, "domain": 4 }, "indicator_count": 206, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "openssl.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "openssl.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780326653.9105136 }