{ "type": "Domain", "indicator": "php.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/php.net", "alexa": "http://www.alexa.com/siteinfo/php.net", "indicator": "php.net", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain php.net", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain php.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2651289984, "indicator": "php.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69d4595cd9283fc7a5aa03ab", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T03:46:03.154000", "created": "2026-04-07T01:09:48.152000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 195, "domain": 120, "IPv4": 14, "hostname": 101, "CVE": 1 }, "indicator_count": 3497, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595b8c340900560463a8", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:25:12.329000", "created": "2026-04-07T01:09:47.893000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595beae76fc81c99cf63", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:25:10.274000", "created": "2026-04-07T01:09:47.895000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595bad55db9318902436", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:47.753000", "created": "2026-04-07T01:09:47.753000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595a99f229f5b99ce366", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:46.696000", "created": "2026-04-07T01:09:46.696000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4594ea685ae6b9912f97b", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:34.613000", "created": "2026-04-07T01:09:34.613000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45947ce0025cf5afbb117", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:27.333000", "created": "2026-04-07T01:09:27.333000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adce952052db1643eb1", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:40.683000", "created": "2026-04-06T22:59:40.683000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ada131daf14003078c7", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:38.191000", "created": "2026-04-06T22:59:38.191000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adaef39c73f026077c0", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:38.174000", "created": "2026-04-06T22:59:38.174000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ad5541cf4a7ee45cef5", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:33.577000", "created": "2026-04-06T22:59:33.577000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ad5128bbd414bbd946f", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:33.569000", "created": "2026-04-06T22:59:33.569000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43acb355ea778bf740a6d", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:23.936000", "created": "2026-04-06T22:59:23.936000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ac218b1452b90077c29", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:14.467000", "created": "2026-04-06T22:59:14.467000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "32 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6952febb1dbcf05ee601f050", "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)", "description": "", "modified": "2025-12-29T22:20:43.238000", "created": "2025-12-29T22:20:43.238000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65b80a20bbcd0eb305a740ec", "export_count": 27361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "104 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853692cc1a1795b9f321422", "name": "Custom Power Wheelchairs | Misc Attack includes Emotet", "description": "", "modified": "2025-07-19T01:04:02.740000", "created": "2025-06-19T01:34:36.575000", "tags": [ "no expiration", "filehashsha256", "expiration", "url https", "filehashmd5", "filehashsha1", "domain", "hostname", "ipv4", "iocs", "url http", "create new", "pulse use", "pdf report", "pcap", "stix", "drop", "review iocs", "pulse show", "enter source", "url or", "search", "type indicator", "role title", "related pulses", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-MD5": 351, "FileHash-SHA1": 328, "FileHash-SHA256": 396, "URL": 176, "domain": 94, "hostname": 75, "email": 2, "SSLCertFingerprint": 1 }, "indicator_count": 1426, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676c22688c20f970ad67e408", "name": "Exploit/Shellcode Zawiera ukryty ci\u0105g bajt\u00f3w (cz\u0119sto cz\u0119\u015b\u0107 zaciemnionego kodu pow\u0142oki)", "description": "https://hybrid-analysis.com/sample/f03c81c8e39139eab248f5c3355f918f87b9ffe740a866c13b7782ef719af914/64eb8574b43749bb740d2f8a", "modified": "2025-05-14T20:57:23.962000", "created": "2024-12-25T15:19:04.989000", "tags": [ "united", "portland", "aws ec2", "wskaniki", "sha256", "a mi", "c mi", "ihdr8gvsrgb", "idatx", "bbygx", "idat b", "4m mviendb", "peexe c", "date", "file sha256", "dhsdh", "sarsrx", "gramatyka", "pisownia", "yczerejestru", "x308b", "merriamwebster", "wunder", "politico", "purdue", "roboto" ], "references": [ "http://ip-api.com/json/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 93, "FileHash-SHA1": 35, "FileHash-SHA256": 308, "IPv4": 28, "hostname": 107, "URL": 35, "domain": 626 }, "indicator_count": 1232, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "585 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "585 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85e73efe2e053366ed972", "name": "https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-09-05T06:21:34.047000", "created": "2024-01-30T02:26:59.218000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6145, "URL": 14252, "hostname": 4778, "domain": 6809, "CVE": 3 }, "indicator_count": 32339, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "585 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aaba0fe5834eef98066f6e", "name": "LockBit | Apple iOS HackTool | CVE 2023-4966 (Citrix Bleed)", "description": "", "modified": "2024-02-17T02:03:48.897000", "created": "2024-01-19T18:06:07.730000", "tags": [ "ssl certificate", "network", "malware", "contacted", "referrer", "whois record", "communicating", "highly targeted", "apple ios", "tsara brashears", "core", "hacktool", "emotet", "copy", "installer", "formbook", "ransomware", "critical", "benjamin", "phishing", "trojan", "worm", "date", "passive dns", "urls", "search", "status", "nxdomain", "scan endpoints", "all octoseek", "hostname", "pulse submit", "name verdict", "falcon sandbox", "reports", "falcon", "getprocaddress", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "united", "as40528 icann", "unknown", "as26710 icann", "pulse pulses", "showing", "as16876 icann", "aaaa", "certificate", "domain", "gandi sas", "files", "adware", "cybercrime", "malvertizing", "password stealer", "ios unlocker", "beautiful", "model", "songwriter", "pornhub", "fireeye", "espionage", "targeting" ], "references": [ "http://103.246.145.111/gate.php?hwid=WALKER-PC-WALKER&os=Windows%207%20Enterprise&cpu=Intel", "nr-data.net [Apple Private Data Collection]", "https://stackabuse.com/assets/images/apple", "https://hybrid-analysis.com/sample/772d7c597071913ba41e1b0f6b24bbb9d512cbe8f884e482a2d187f5a95281bc/65a880b7d29f11c8c30ad32e", "CVE-2023-4966", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "What Is LockBit Ransomware? BlackBerry https://www.blackberry.com \u203a ransomware-protection", "https://github.com/MISP/misp-galaxy/blame/master/clusters/threat-actor.json" ], "public": 1, "adversary": "LockBit 3.0 Ransomware Affiliates", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Government", "Civil society", "Private Sector", "Telecommunications" ], "TLP": "white", "cloned_from": "65a89d024f9153ccae3a8500", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 46, "FileHash-SHA256": 2869, "URL": 2492, "CVE": 2, "domain": 1079, "hostname": 817, "SSLCertFingerprint": 2, "email": 3 }, "indicator_count": 7358, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aaba128167bfe90a0ab7e8", "name": "LockBit | Apple iOS HackTool | CVE 2023-4966 (Citrix Bleed)", "description": "", "modified": "2024-02-17T02:03:48.897000", "created": "2024-01-19T18:06:10.095000", "tags": [ "ssl certificate", "network", "malware", "contacted", "referrer", "whois record", "communicating", "highly targeted", "apple ios", "tsara brashears", "core", "hacktool", "emotet", "copy", "installer", "formbook", "ransomware", "critical", "benjamin", "phishing", "trojan", "worm", "date", "passive dns", "urls", "search", "status", "nxdomain", "scan endpoints", "all octoseek", "hostname", "pulse submit", "name verdict", "falcon sandbox", "reports", "falcon", "getprocaddress", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "united", "as40528 icann", "unknown", "as26710 icann", "pulse pulses", "showing", "as16876 icann", "aaaa", "certificate", "domain", "gandi sas", "files", "adware", "cybercrime", "malvertizing", "password stealer", "ios unlocker", "beautiful", "model", "songwriter", "pornhub", "fireeye", "espionage", "targeting" ], "references": [ "http://103.246.145.111/gate.php?hwid=WALKER-PC-WALKER&os=Windows%207%20Enterprise&cpu=Intel", "nr-data.net [Apple Private Data Collection]", "https://stackabuse.com/assets/images/apple", "https://hybrid-analysis.com/sample/772d7c597071913ba41e1b0f6b24bbb9d512cbe8f884e482a2d187f5a95281bc/65a880b7d29f11c8c30ad32e", "CVE-2023-4966", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "What Is LockBit Ransomware? BlackBerry https://www.blackberry.com \u203a ransomware-protection", "https://github.com/MISP/misp-galaxy/blame/master/clusters/threat-actor.json" ], "public": 1, "adversary": "LockBit 3.0 Ransomware Affiliates", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Government", "Civil society", "Private Sector", "Telecommunications" ], "TLP": "white", "cloned_from": "65a89d024f9153ccae3a8500", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 46, "FileHash-SHA256": 2869, "URL": 2492, "CVE": 2, "domain": 1079, "hostname": 817, "SSLCertFingerprint": 2, "email": 3 }, "indicator_count": 7358, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aaba12436a318c6567cba8", "name": "LockBit | Apple iOS HackTool | CVE 2023-4966 (Citrix Bleed)", "description": "", "modified": "2024-02-17T02:03:48.897000", "created": "2024-01-19T18:06:10.934000", "tags": [ "ssl certificate", "network", "malware", "contacted", "referrer", "whois record", "communicating", "highly targeted", "apple ios", "tsara brashears", "core", "hacktool", "emotet", "copy", "installer", "formbook", "ransomware", "critical", "benjamin", "phishing", "trojan", "worm", "date", "passive dns", "urls", "search", "status", "nxdomain", "scan endpoints", "all octoseek", "hostname", "pulse submit", "name verdict", "falcon sandbox", "reports", "falcon", "getprocaddress", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "united", "as40528 icann", "unknown", "as26710 icann", "pulse pulses", "showing", "as16876 icann", "aaaa", "certificate", "domain", "gandi sas", "files", "adware", "cybercrime", "malvertizing", "password stealer", "ios unlocker", "beautiful", "model", "songwriter", "pornhub", "fireeye", "espionage", "targeting" ], "references": [ "http://103.246.145.111/gate.php?hwid=WALKER-PC-WALKER&os=Windows%207%20Enterprise&cpu=Intel", "nr-data.net [Apple Private Data Collection]", "https://stackabuse.com/assets/images/apple", "https://hybrid-analysis.com/sample/772d7c597071913ba41e1b0f6b24bbb9d512cbe8f884e482a2d187f5a95281bc/65a880b7d29f11c8c30ad32e", "CVE-2023-4966", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "What Is LockBit Ransomware? BlackBerry https://www.blackberry.com \u203a ransomware-protection", "https://github.com/MISP/misp-galaxy/blame/master/clusters/threat-actor.json" ], "public": 1, "adversary": "LockBit 3.0 Ransomware Affiliates", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Government", "Civil society", "Private Sector", "Telecommunications" ], "TLP": "white", "cloned_from": "65a89d024f9153ccae3a8500", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 46, "FileHash-SHA256": 2869, "URL": 2492, "CVE": 2, "domain": 1079, "hostname": 817, "SSLCertFingerprint": 2, "email": 3 }, "indicator_count": 7358, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a89d024f9153ccae3a8500", "name": "LockBit | Apple iOS HackTool | CVE 2023-4966 (Citrix Bleed)", "description": "LockBit seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. \n\nCVE 2023-4966 (Citrix Bleed) to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances.", "modified": "2024-02-17T02:03:48.897000", "created": "2024-01-18T03:37:38.334000", "tags": [ "ssl certificate", "network", "malware", "contacted", "referrer", "whois record", "communicating", "highly targeted", "apple ios", "tsara brashears", "core", "hacktool", "emotet", "copy", "installer", "formbook", "ransomware", "critical", "benjamin", "phishing", "trojan", "worm", "date", "passive dns", "urls", "search", "status", "nxdomain", "scan endpoints", "all octoseek", "hostname", "pulse submit", "name verdict", "falcon sandbox", "reports", "falcon", "getprocaddress", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "united", "as40528 icann", "unknown", "as26710 icann", "pulse pulses", "showing", "as16876 icann", "aaaa", "certificate", "domain", "gandi sas", "files", "adware", "cybercrime", "malvertizing", "password stealer", "ios unlocker", "beautiful", "model", "songwriter", "pornhub", "fireeye", "espionage", "targeting" ], "references": [ "http://103.246.145.111/gate.php?hwid=WALKER-PC-WALKER&os=Windows%207%20Enterprise&cpu=Intel", "nr-data.net [Apple Private Data Collection]", "https://stackabuse.com/assets/images/apple", "https://hybrid-analysis.com/sample/772d7c597071913ba41e1b0f6b24bbb9d512cbe8f884e482a2d187f5a95281bc/65a880b7d29f11c8c30ad32e", "CVE-2023-4966", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "What Is LockBit Ransomware? BlackBerry https://www.blackberry.com \u203a ransomware-protection", "https://github.com/MISP/misp-galaxy/blame/master/clusters/threat-actor.json" ], "public": 1, "adversary": "LockBit 3.0 Ransomware Affiliates", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Government", "Civil society", "Private Sector", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 46, "FileHash-SHA256": 2869, "URL": 2492, "CVE": 2, "domain": 1079, "hostname": 817, "SSLCertFingerprint": 2, "email": 3 }, "indicator_count": 7358, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a8720daa2d0263a2b1de88", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "Already deeply compromised individuals more at risk of elaborate phone call interception/redirect/transfer from legitimate services. Many different schemes are used to access and nullify victims identity, involves ssn#, bank account information, email exchange text messaging, PDF exchange, Spam sent to all known accounts, password reset, request for ID upload to verify (steal) identity, extensive holds while trying to 'help' you, unannounced credit check ID theft. Ransomware, Linux attack, Botnetwork behavior. Active threat. Linux/Mumblehard backdoor/botnet", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-18T00:34:21.136000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aab9d7a0b4116f622b0aa0", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-19T18:05:11.592000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": "65a8720daa2d0263a2b1de88", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a76c2901b34c79a681596d", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following , being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T05:56:57.948000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80a20bbcd0eb305a740ec", "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-29T20:27:12.899000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3155, "domain": 2894, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13628, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a77c6a22a236495c4548d6", "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach", "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.' PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers", "modified": "2024-02-16T05:03:15.321000", "created": "2024-01-17T07:06:18.453000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "remote", "malvertizing", "spying", "cyber stalking" ], "references": [ "https://tulach.cc/", "go.sabey.com", "sabey.com", "cellebrite.com", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "https://www.pornhub.com/video/search?search=tsara+brashears", "remote.aciscomputers.com", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "114.114.114.114 [Tulach]", "nr-data.net [Apple Private Data Collection]", "defenselawyernj.com", "attorney-marketing-specialists.com ?", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "https://t.me/hermitspyware/24", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "http://watchhers.net/index.php [remote attackers | malware spreader]", "api-stage.pornhub.com", "newbrazzers.com [y8.com]", "www.videolan.org [info solutions]", "www2.blackbagtech.com [hidden users included]", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "http://pegasus.diskel.co.uk/ [phishing]", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "fds.cellebrite.com", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "http://download.virtualbox.org/virtualbox/debian", "match.pegasus.isi.edu", "asp.net", "http://dropbox.com/ [ intrusions/ dropbox stealer]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" } ], "industries": [ "Individual", "Patient", "Healthcare", "Survivor" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4101, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3157, "domain": 2903, "hostname": 2847, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "787 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4888d583378e41185d9b9", "name": "Behav | Remote Command and Control", "description": "", "modified": "2024-02-13T21:02:07.169000", "created": "2024-01-15T01:21:17.429000", "tags": [ "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "tld count", "heur", "cisco umbrella", "alexa top", "html", "site", "site top", "million", "safe site", "million alexa", "site safe", "malware", "win64", "crack", "acint", "opencandy", "nircmd", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "exploit", "presenoker", "agent", "filetour", "cleaner", "conduit", "unsafe", "wacatac", "artemis", "iframe", "cve201711882", "memscan", "riskware", "phishing", "alexa", "zbot", "webtoolbar", "trojanspy", "malicious site", "united", "malicious host", "phishing site", "et cins", "active threat", "anonymizer", "reputation ip", "paypal", "malware site", "malicious", "bank", "deepscan", "first", "hidelink", "maltiverse", "nancore", "phishing", "rat", "remote", "trojan", "keylogger", "thebrotherssabey", "thebrotherssabey.com", "sabey", "brian sabey", "attack", "installation", "persistence", "active threat" ], "references": [ "https://www.enigmasoftware.com/malbehav374-removal/", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://hybrid-analysis.com/sample/ba36c01de22294d112f52e837086486b4a6a40c4eb3eac08217f3e46eb17d21b/65a432f32a1edd2da00ac71e", "Malicious: Drops executable files to the Windows system directory details File type \"DOS executable (COM)\"" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "TEL:HackTool:Win32/ArtemisUser", "display_name": "TEL:HackTool:Win32/ArtemisUser", "target": null }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a462c4cede2a3888eae8f2", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 21, "FileHash-SHA256": 29, "domain": 584, "email": 1, "hostname": 112, "URL": 23, "CVE": 6 }, "indicator_count": 802, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "789 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a462c4cede2a3888eae8f2", "name": "Behav | Remote Command and Control", "description": "Mal/Behav-374 may give remote attackers access to a compromised machine allowing them to steal confidential information. Active threat.", "modified": "2024-02-13T21:02:07.169000", "created": "2024-01-14T22:40:04.695000", "tags": [ "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "tld count", "heur", "cisco umbrella", "alexa top", "html", "site", "site top", "million", "safe site", "million alexa", "site safe", "malware", "win64", "crack", "acint", "opencandy", "nircmd", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "exploit", "presenoker", "agent", "filetour", "cleaner", "conduit", "unsafe", "wacatac", "artemis", "iframe", "cve201711882", "memscan", "riskware", "phishing", "alexa", "zbot", "webtoolbar", "trojanspy", "malicious site", "united", "malicious host", "phishing site", "et cins", "active threat", "anonymizer", "reputation ip", "paypal", "malware site", "malicious", "bank", "deepscan", "first", "hidelink", "maltiverse", "nancore", "phishing", "rat", "remote", "trojan", "keylogger", "thebrotherssabey", "thebrotherssabey.com", "sabey", "brian sabey", "attack", "installation", "persistence", "active threat" ], "references": [ "https://www.enigmasoftware.com/malbehav374-removal/", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://hybrid-analysis.com/sample/ba36c01de22294d112f52e837086486b4a6a40c4eb3eac08217f3e46eb17d21b/65a432f32a1edd2da00ac71e", "Malicious: Drops executable files to the Windows system directory details File type \"DOS executable (COM)\"" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "TEL:HackTool:Win32/ArtemisUser", "display_name": "TEL:HackTool:Win32/ArtemisUser", "target": null }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 21, "FileHash-SHA256": 29, "domain": 584, "email": 1, "hostname": 112, "URL": 23, "CVE": 6 }, "indicator_count": 802, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "789 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a0012061cc62dae1423a4d", "name": "Masquerading | UCHealth| 'University of Cincinnati' | MITRE ATT&CK", "description": "", "modified": "2024-02-10T08:00:08.779000", "created": "2024-01-11T14:54:24.703000", "tags": [ "json data", "localappdata", "temp", "windir", "getprocaddress", "ascii text", "mitre att", "ck id", "show technique", "ck matrix", "path", "win64", "date", "factory", "hybrid", "contacted", "germany unknown", "as47846", "as31103 keyweb", "passive dns", "unknown", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "benjamin", "network", "cams", "feeds", "malicious adware", "urlref", "worm" ], "references": [ "https://my.uchealth.com/myuchealth/Authentication/Login/DoJump?token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ1cm46VUNIZWFsdGg6Y2Utc", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "voyour-cams.xww.de [W32.DSS.Trojan]", "https://www.hybrid-analysis.com/sample/5cde83981d63661bad25f5900043e2dacaae3aac005b1201d7ea8182c0ec427c/659e999528b388097206d52c", "http://voyour-cams.xww.de/ [image referer, dga, malware, parked, ads]", "UCHealth 'University of Cincinnati' vulnerable/compromised/related 'UCHealth.com' domains and URL's", "allaboutcircuits.com l DGA domain | treehugger.com [ueleconomy.gov] | uchealth.com | http://cancer.uchealth.com | https://cancer.uchealth.com", "https://cancer.uchealth.com/ | http://michaela.young@uchealth.com/ | https://www.uchealth.com/physician/frank-avilucea/ |", "https://www.uchealth.com/physician/t-toan-le/?ref=35&site=30 | https://www.uchealth.com/physician/t-toan-le/?ref=35&site=30", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "http://uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf", "Malicious File Hash- SHA256 98a2a9c25e6240e44c595a693ed7b48c9c412969855b219e46dd9379006673d3", "High severity - suspicious_write_exe, network_icmp, modifies_certificates, process_martian, injection_resumethread", "Medium severity - dumped_buffer js_eval network_http allocates_rwx antisandbox_foregroundwindows creates_exe creates_shortcut suspicious_process stealth_window uses_windows_utilities recon_fingerprint antivm_memory_available Less High Priority IP\u2019s Contacted 16 IP\u2019s Contacted 104.16.18.94 104.20.234.39 104.26.11.189 104.26.3.202 13.107.4.50 More Domains Contacted 17 Domains Contacted www.bing.com www.allaboutcircuits.com allaboutcircuits.com ocsp.digicert.com securepubads.g.doubleclick.net More Related", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "http://uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf | https://www.uchealth.com/locations/uc-health-physicians-office-midtown/", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://my.uchealth.com/myuchealth/inside.asp?mode=labdetail&e%E2%80%A64bK43QgfcL6kD9bT8hI9YIXWVk5xuOPWrqJQNWVGZwZo-3D&printmode=true", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24wYBOtOuf1BKR-2B8XDFJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24wYBOtOuf1BKR-2B8XDFJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "64.190.63.111 | More AV Detection | !#HSTR:SigGen0136cb6c, ALF:CERT:Adware:Win32/Peapoon , ALF:HeraklezEval:Exploit:O97M/CVE-2017-11882.DR!rfn , ALF:HeraklezEval:PUA:Win32/4Shared , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:HeraklezEval:TrojanDownloader:Win32/Dofoil!rfn , ALF:HeraklezEval:TrojanDownloader:Win32/Ymacco!rfn , ALF:HeraklezEval:VirTool:WinNT/Rootkitdrv.HK , ALF:JASYP:Backdoor:Win32/FlyAgent!atmn ...", "High severity - LokiBot User-Agent (Charon/Inferno) Win32.Worm.Benjamin.A CnC Checkin Worm.Mydoom Checkin User-Agent (explwer)", "Win32/Fosniw MacTryCnt CnC Style Checkin Win32/SniperSpy Checkin LDPinch Checkin Post Win32.Sality-GR Checkin ADWARE/InstallCore.Gen Checkin LokiBot Checkin .", "cdn.porngifs.com, porngifs.com, http://girlscam.xww.de, httpvoyour-cams.xww.de [urlref]", "Worm:Win32/Benjamin", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "URL": 829, "domain": 681, "hostname": 264, "FileHash-SHA256": 1927 }, "indicator_count": 3708, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659f8c2ff1f9c7a3e3605199", "name": "ET MALWARE LokiBot User (Charon/Inferno) Worm:Win32/Benjamin", "description": "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/\n \nhttps://www.hybrid-analysis.com/sample/3e6f749f6f10dbe471cd14b6441135cdea582f429c523b20d149b335d5b192d2", "modified": "2024-02-10T06:03:44.899000", "created": "2024-01-11T06:35:27.311000", "tags": [ "name verdict", "falcon sandbox", "getprocaddress", "windir", "path", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "pattern match", "win64", "date", "open", "factory", "hybrid", "general", "config" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 3, "FileHash-SHA256": 1371, "hostname": 165, "SSLCertFingerprint": 2, "URL": 653, "domain": 693, "email": 1 }, "indicator_count": 2895, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8f1e5db08cf140cdea23", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-03T19:08:14.934000", "created": "2024-02-03T19:08:14.934000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65b85d301a253bd67048cbba", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "799 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8e4a55f5851279c265c8", "name": "https://www.hallrender.com/attorney/brian-sabey/ Gopher Ransomware ", "description": "", "modified": "2024-02-03T19:04:42.251000", "created": "2024-02-03T19:04:42.251000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b85e73efe2e053366ed972", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "799 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659560d63178b32f07838efb", "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|", "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.", "modified": "2024-02-02T12:04:41.638000", "created": "2024-01-03T13:27:50.685000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "unsafeeval", "path", "expiressat", "auto", "wheels online", "o tires", "shop tires", "html info", "title shop", "tires", "meta tags", "big o", "tires language", "name verdict", "falcon sandbox", "samples", "localappdata", "json data", "temp", "getprocaddress", "ascii text", "windir", "file", "indicator", "mitre att", "ck id", "factory", "hybrid", "model", "comspec", "ssl certificate", "whois record", "execution", "contacted", "historical ssl", "whois whois", "simda http", "collections", "historical", "dropped", "backdoor", "unknown", "united", "asnone", "show", "entries", "search", "intel", "ms windows", "pe32", "windows nt", "copy", "write", "logic", "download", "malware", "suspicious", "next", "destination", "port", "components", "globalnpf", "china as23724", "music", "data c", "mexico", "as15169 google", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "united kingdom", "explorer", "xserver", "mtb aug", "location united", "america asn", "open", "trojan", "worm", "dataadobereader", "as397240", "msie", "etpro trojan", "virgin islands", "script urls", "creation date", "record value", "date", "a domains", "all search", "otx octoseek", "url http", "http", "related nids", "pulse http", "url https", "files location", "as20940", "aaaa", "as2914 ntt", "canada unknown", "japan unknown", "as16625 akamai", "domain", "hostname", "gmt content", "gmt report", "0 report", "sea alt", "body", "encrypt", "social engineering", "revenge rat", "rat", "identity theft", "credit card", "referrer", "communicating", "bundled", "family", "roots", "lolkek", "tzw variants", "quasar rat", "dark power", "swisyn", "wiper", "ransomware", "cobalt strike", "attack", "core", "emotet", "exploit", "hacktool", "mail spammer", "as63949 linode", "mtb dec", "checkin m1", "trojanspy", "artro", "remote", "infostealer" ], "references": [ "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ukraine", "Georgia", "India", "Hong Kong", "Canada", "China", "Indonesia", "South Africa", "Germany", "Slovenia", "Mexico", "Netherlands", "Japan", "Spain", "Argentina", "France", "Chile", "Italy", "Aruba", "Switzerland", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Poland", "Colombia", "Taiwan", "Bulgaria", "Austria", "Russian Federation", "Australia", "Philippines", "Norway", "Sweden" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "#Lowfi:SCPT:KiraAsciiObfuscator", "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "Trojan:MSIL/ClipBanker.GB!MTB", "display_name": "Trojan:MSIL/ClipBanker.GB!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win.Packed.Zusy-7170176-0", "display_name": "Win.Packed.Zusy-7170176-0", "target": null }, { "id": "Win.Trojan.Zbot-9880005-0", "display_name": "Win.Trojan.Zbot-9880005-0", "target": null }, { "id": "'Win32:Trojan-gen", "display_name": "'Win32:Trojan-gen", "target": null }, { "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "target": null }, { "id": "Worm:Win32/Mofksys.B", "display_name": "Worm:Win32/Mofksys.B", "target": "/malware/Worm:Win32/Mofksys.B" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Worm:LOGO/Logic", "display_name": "Worm:LOGO/Logic", "target": "/malware/Worm:LOGO/Logic" }, { "id": "ETPro Trojan", "display_name": "ETPro Trojan", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Swisyn", "display_name": "TrojanSpy:Win32/Swisyn", "target": "/malware/TrojanSpy:Win32/Swisyn" }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 560, "FileHash-SHA1": 350, "FileHash-SHA256": 4371, "URL": 8165, "domain": 2548, "hostname": 2813, "CVE": 4, "email": 3 }, "indicator_count": 18814, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "801 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65944a8149f2479b2fbc6cd1", "name": "Relic", "description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.", "modified": "2024-02-01T14:01:46.735000", "created": "2024-01-02T17:40:17.890000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers nel", "maxage5184000", "name verdict", "falcon sandbox", "whois record", "ssl certificate", "tsara brashears", "whois whois", "historical ssl", "contacted", "highly targeted", "hackers", "botnet", "apple ios", "malicious", "hacktool", "quasar", "download", "malware", "relic", "monitoring", "installer", "tofsee", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "united", "file", "pattern match", "path", "date", "win64", "factory", "model", "comspec", "hybrid", "general", "click", "strings", "patch", "song culture", "tulach" ], "references": [ "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "nr-data.net [Apple Private Data Collection]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://stackabuse.com/assets/images/apple", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "location-icloud.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "https://pin.it/ [faux Pinterest for TB]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "114.114.114.114 [ Tulach Malware IP]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "http://114.114.114.114/ipw.ps1", "194.245.148.189 [CnC]", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "http://109.206.241.129/666bins/666.mpsl", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "143.244.50.213 |169.150.249.162 [malware_hosting]", "http://watchhers.net/index.php [malware spreader]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "xred.mooo.com [pornhub trojan]", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8049, "FileHash-MD5": 388, "FileHash-SHA1": 212, "FileHash-SHA256": 7062, "domain": 4401, "hostname": 2653, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 22769, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "801 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85d301a253bd67048cbba", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-30T02:21:36.334000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65a2e3ebbb1bdfd541af3e91", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6593c7224a0e8926c28f73d5", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "Sent to me by D*n*i* M. P*r**h. I can't comprehend. Looks like framing and cyber tracking pf a SA victim by a sheriff best friend of reporting doctor whose wife is Douglas Co coroner. Reporting MD threatened and warned Brashears of what would happen then warned SA PT by relating issues. Targets and associated as severe risk.", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-02T08:19:45.693000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "114.114.114.114 [Tulach]", "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY®ion=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0", "mobileaccess.intel.com", "http://apple.helptechnicalsupport.com/favicon.ico", "http://114.114.114.114/ipw.ps1", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "cdn.porngifs.com, porngifs.com, http://girlscam.xww.de, httpvoyour-cams.xww.de [urlref]", "www-stage40.pornhub.com", "sabey.com", "CVE-2023-4966", "http://pegasus.diskel.co.uk/ [phishing]", "attorney-marketing-specialists.com ?", "UCHealth 'University of Cincinnati' vulnerable/compromised/related 'UCHealth.com' domains and URL's", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "hanmail.net", "fds.cellebrite.com", "Win32/Fosniw MacTryCnt CnC Style Checkin Win32/SniperSpy Checkin LDPinch Checkin Post Win32.Sality-GR Checkin ADWARE/InstallCore.Gen Checkin LokiBot Checkin .", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "apple-identifiant.info", "business-support.intel.com", "http://109.206.241.129/666bins/666.mpsl", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.journaldev.com/41403/regex", "This is all too strange! Corruption or Spoofed?", "Malicious: Drops executable files to the Windows system directory details File type \"DOS executable (COM)\"", "https://cellebrite.com/en/federal-government/ [Pegasus ck privilege collection]", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "work.a-poster.info", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend", "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc", "What Is LockBit Ransomware? BlackBerry https://www.blackberry.com \u203a ransomware-protection", "13.107.136.8 [ Tulach Malware IP redirect]", "cellebrite.com", "http://watchhers.net/index.php [remote attackers | malware spreader]", "Medium severity - dumped_buffer js_eval network_http allocates_rwx antisandbox_foregroundwindows creates_exe creates_shortcut suspicious_process stealth_window uses_windows_utilities recon_fingerprint antivm_memory_available Less High Priority IP\u2019s Contacted 16 IP\u2019s Contacted 104.16.18.94 104.20.234.39 104.26.11.189 104.26.3.202 13.107.4.50 More Domains Contacted 17 Domains Contacted www.bing.com www.allaboutcircuits.com allaboutcircuits.com ocsp.digicert.com securepubads.g.doubleclick.net More Related", "artificial-legal-intelligence.com", "defenselawyernj.com", "api-stage.pornhub.com", "location-icloud.com", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "114.114.114.114", "https://hybrid-analysis.com/sample/ba36c01de22294d112f52e837086486b4a6a40c4eb3eac08217f3e46eb17d21b/65a432f32a1edd2da00ac71e", "https://cancer.uchealth.com/ | http://michaela.young@uchealth.com/ | https://www.uchealth.com/physician/frank-avilucea/ |", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "voyour-cams.xww.de [W32.DSS.Trojan]", "https://my.uchealth.com/myuchealth/inside.asp?mode=labdetail&e%E2%80%A64bK43QgfcL6kD9bT8hI9YIXWVk5xuOPWrqJQNWVGZwZo-3D&printmode=true", "quackbot? Qbot qakbot positive", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "http://www.apple.com/appleca/AppleIncRootCertificate.cer", "http://medlineplus.gov.https.sci-hub.st", "https://t.me/hermitspyware/24", "0-courier.push.apple.com", "http://103.246.145.111/gate.php?hwid=WALKER-PC-WALKER&os=Windows%207%20Enterprise&cpu=Intel", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "http://uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf | https://www.uchealth.com/locations/uc-health-physicians-office-midtown/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.uchealth.com/physician/t-toan-le/?ref=35&site=30 | https://www.uchealth.com/physician/t-toan-le/?ref=35&site=30", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h", "nr-data.net", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "http://watchhers.net/index.php [malware spreader]", "familyhandyman.com", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "High severity - suspicious_write_exe, network_icmp, modifies_certificates, process_martian, injection_resumethread", "https://hybrid-analysis.com/sample/772d7c597071913ba41e1b0f6b24bbb9d512cbe8f884e482a2d187f5a95281bc/65a880b7d29f11c8c30ad32e", "http://ip-api.com/json/", "www.videolan.org [info solutions]", "http://watchhers.net/index.php", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://pin.it/ [faux Pinterest for TB]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "allaboutcircuits.com l DGA domain | treehugger.com [ueleconomy.gov] | uchealth.com | http://cancer.uchealth.com | https://cancer.uchealth.com", "64.190.63.111 | More AV Detection | !#HSTR:SigGen0136cb6c, ALF:CERT:Adware:Win32/Peapoon , ALF:HeraklezEval:Exploit:O97M/CVE-2017-11882.DR!rfn , ALF:HeraklezEval:PUA:Win32/4Shared , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:HeraklezEval:TrojanDownloader:Win32/Dofoil!rfn , ALF:HeraklezEval:TrojanDownloader:Win32/Ymacco!rfn , ALF:HeraklezEval:VirTool:WinNT/Rootkitdrv.HK , ALF:JASYP:Backdoor:Win32/FlyAgent!atmn ...", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "nr-data.net [Apple Private Data Collection]", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "go.sabey.com", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24wYBOtOuf1BKR-2B8XDFJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "https://www.enigmasoftware.com/malbehav374-removal/", "143.244.50.213 |169.150.249.162 [malware_hosting]", "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "https://www.pornhub.com/video/search?search=tsara+brashears", "joebiden.com", "deadlineday.twitter.com", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://www.hybrid-analysis.com/sample/5cde83981d63661bad25f5900043e2dacaae3aac005b1201d7ea8182c0ec427c/659e999528b388097206d52c", "194.245.148.189 [CnC]", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://tulach.cc/", "Worm:Win32/Benjamin", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225", "http://uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "https://www.anyxxxtube.net/media/favicon/apple", "newbrazzers.com [y8.com]", "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "0-i-0.xyz", "match.pegasus.isi.edu", "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact", "http://download.virtualbox.org/virtualbox/debian", "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://github.com/MISP/misp-galaxy/blame/master/clusters/threat-actor.json", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "cs001.informativeremail-apple.zoom.com.cn", "djcodychase.com", "69.197.153.180", "http://intel.net/.about.html", "message.htm.com", "https://my.uchealth.com/myuchealth/Authentication/Login/DoJump?token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ1cm46VUNIZWFsdGg6Y2Utc", "00000000000.cloudfront.net", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]", "http://dropbox.com/ [ intrusions/ dropbox stealer]", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "http://pl.gov-zaloguj.info", "www2.blackbagtech.com [hidden users included]", "https://www.hallrender.com/attorney/brian-sabey/", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "xred.mooo.com [pornhub trojan]", "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv", "https://twitter.com/sheriffspurlock?lang=en", "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]", "asp.net", "http://voyour-cams.xww.de/ [image referer, dga, malware, parked, ads]", "114.114.114.114 [ Tulach Malware IP]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "Malicious File Hash- SHA256 98a2a9c25e6240e44c595a693ed7b48c9c412969855b219e46dd9379006673d3", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "High severity - LokiBot User-Agent (Charon/Inferno) Win32.Worm.Benjamin.A CnC Checkin Worm.Mydoom Checkin User-Agent (explwer)", "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en", "remote.aciscomputers.com", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://stackabuse.com/assets/images/apple" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "LockBit 3.0 Ransomware Affiliates" ], "malware_families": [ "Sabey", "Exodus", "Formbook", "Virtool:win32/tofsee", "Alf:pua:win32/opencandy", "Trojan:win32/comspec", "Trojan:win32/tiggre", "Swrort", "Gopher", "Ransomexx", "Hallrender", "Hacktool:win32/crack", "Tel:trojandownloader:o97m/msiexecabuse", "Cobalt strike - s0154", "Backdoor:linux/mumblehard", "Zbot", "'win32:trojan-gen", "Tulach", "Tel:hacktool:win32/artemisuser", "Cobalt strike", "Redline stealer", "Pws:win32/raven", "#lowfi:scpt:kiraasciiobfuscator", "Dark power", "Quackbot", "Trojanspy", "Alf:jasyp:pua:win32/systweak", "Trojan:msil/clipbanker.gb!mtb", "Comspec", "Lolkek", "Tofsee", "Hacktool", "Kimsuky", "Pws:win32/vb.cu", "Hidelink", "Trojanspy:win32/swisyn", "Qbot", "Ascii exploit", "Behav", "Worm:win32/mofksys.b", "Worm:win32/mofksys.rnd!mtb", "Worm:logo/logic", "Emotet", "Maltiverse", "Relic", "Crypt3.blxp", "Etpro trojan", "Quasar rat", "Win.packed.zusy-7170176-0", "Win.trojan.zbot-9880005-0", "Njrat", "Trojan:win32/filetour", "Lockbit", "Tinynote", "Backdoor:win32/simda", "Trojan:win32/wacatac", "Ransomware", "Win.dropper.xtremerat-7708589-0", "Virus:win32/floxif.h", "Worm:win32/benjamin", "Artro", "Webtoolbar" ], "industries": [ "Government", "Survivor", "Telecommunications", "Private sector", "Civil society", "Patient", "Individual", "Education", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69d4595cd9283fc7a5aa03ab", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T03:46:03.154000", "created": "2026-04-07T01:09:48.152000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 195, "domain": 120, "IPv4": 14, "hostname": 101, "CVE": 1 }, "indicator_count": 3497, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595b8c340900560463a8", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:25:12.329000", "created": "2026-04-07T01:09:47.893000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595beae76fc81c99cf63", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:25:10.274000", "created": "2026-04-07T01:09:47.895000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595bad55db9318902436", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:47.753000", "created": "2026-04-07T01:09:47.753000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595a99f229f5b99ce366", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:46.696000", "created": "2026-04-07T01:09:46.696000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4594ea685ae6b9912f97b", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:34.613000", "created": "2026-04-07T01:09:34.613000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45947ce0025cf5afbb117", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:27.333000", "created": "2026-04-07T01:09:27.333000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adce952052db1643eb1", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:40.683000", "created": "2026-04-06T22:59:40.683000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ada131daf14003078c7", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:38.191000", "created": "2026-04-06T22:59:38.191000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adaef39c73f026077c0", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-04-06T22:59:38.174000", "created": "2026-04-06T22:59:38.174000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "IPv4": 88, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2401, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "php.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "php.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776085109.1215255 }