{ "type": "Domain", "indicator": "powershell.services", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/powershell.services", "alexa": "http://www.alexa.com/siteinfo/powershell.services", "indicator": "powershell.services", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2669823919, "indicator": "powershell.services", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "6775b17c488523ee9d290afd", "name": "agressive extra", "description": "", "modified": "2025-03-17T22:57:49.933000", "created": "2025-01-01T21:19:56.847000", "tags": [], "references": [ "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.rules" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 35208, "URL": 79504, "domain": 19527, "hostname": 28058, "CVE": 9 }, "indicator_count": 162306, "is_author": false, "is_subscribing": null, "subscriber_count": 207, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63035726d6c09f92e570e9aa", "name": "HelloXD", "description": "", "modified": "2022-09-21T00:02:24.222000", "created": "2022-08-22T10:15:02.795000", "tags": [ "filehash256", "filehashmd5", "ip address", "filehashsha1", "domain" ], "references": [ "HelloXD.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Professionalservices-SOC", "id": "106940", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "domain": 3 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "630357283c362ea703661985", "name": "HelloXD", "description": "", "modified": "2022-09-21T00:02:24.222000", "created": "2022-08-22T10:15:04.773000", "tags": [ "filehash256", "filehashmd5", "ip address", "filehashsha1", "domain" ], "references": [ "HelloXD.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Professionalservices-SOC", "id": "106940", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "domain": 3 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63035728c7680b51c68c91cf", "name": "HelloXD", "description": "", "modified": "2022-09-21T00:02:24.222000", "created": "2022-08-22T10:15:04.601000", "tags": [ "filehash256", "filehashmd5", "ip address", "filehashsha1", "domain" ], "references": [ "HelloXD.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Professionalservices-SOC", "id": "106940", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "domain": 3 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62bb93605b7e027603286b09", "name": "Backdoor Installed by HelloXD Ransomware on Windows and Linux Systems", "description": "", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-28T23:48:48.559000", "tags": [], "references": [ "June 13th, 2022 - CryptoGen Cyber Threat Intelligence - Backdoor Installed by HelloXD Ransomware on Windows and Linux Systems.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "hostname": 49 }, "indicator_count": 226, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b97384b4717fb44c973d06", "name": "HelloXD Ransomware Uses Modified ClamAV Logo in Executables and Provides Tox Chat ID to Reach Attackers", "description": "HelloXD is a ransomware family performing double extortion attacks that were first observed in the wild on November 30, 2021. Multiple variants impacting Windows and Linux systems were observed. This ransomware family uses a modified ClamAV logo in their executables and prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.\n\nTox Chat ID used for negotiations\nThe ransomware creates an ID for the victim which has to be sent to the attacker to make it possible to identify the victim and provide a decryptor. The ransom note also instructs victims to download Tox and provides a Tox Chat ID to reach the threat actor. Tox is being used by other ransomware groups like LockBit 2.0 for negotiations.", "modified": "2022-07-27T00:02:05.219000", "created": "2022-06-27T09:08:20.335000", "tags": [ "malware", "infrastructure", "HelloXD", "Ransomware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "domain": 3, "hostname": 49 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a7f3550c8cf623e805df62", "name": "Exposing HelloXD Ransomware and x4k", "description": "Unit 42, a Palo Alto Networks research team, has identified and identified the developer of the HelloXD ransomware family, which has been performing double extortion attacks in the wild from 2021 to 2022.", "modified": "2022-07-14T00:05:09.745000", "created": "2022-06-14T02:32:53.412000", "tags": [ "helloxd", "cobalt strike", "microbackdoor", "babuk", "lockbit", "ghost", "ransomware", "crypter", "august", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HelloXD", "display_name": "HelloXD", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "MicroBackdoor", "display_name": "MicroBackdoor", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 55, "domain": 6 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "1418 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a750a3149cfd7b2e600ea1", "name": "Resurface of HelloXD Ransomware targeting Windows and Linux Systems", "description": "Recently, a reemergence of a ransomware named HelloXD which initially surfaced in the wild in November 2021 was observed. HelloXD is a ransomware that performs double extortion attacks targeting Windows and Linux systems. HelloXD was seen to utilize multiple encryption algorithms such as Curve25519-Donna, modified HC-128, and Rabbit symmetric cipher to lock the victims\u2019 data for ransom.", "modified": "2022-07-13T14:04:24.570000", "created": "2022-06-13T14:58:43.644000", "tags": [], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 278, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "hostname": 49, "domain": 6, "FileHash-SHA256": 57 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 251, "modified_text": "1419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a6e06f1354cea3095da6b5", "name": "Exposing HelloXD Ransomware and x4k", "description": "Unit 42, a Palo Alto Networks research team, has identified and identified the developer of the HelloXD ransomware family, which has been performing double extortion attacks since November 2021, and is believed to be linked to x4k.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T06:59:59", "tags": [ "helloxd", "cobalt strike", "microbackdoor", "babuk", "figure", "lockbit", "palo alto", "networks", "github account", "windows", "unit", "ghost", "ransomware", "alliance", "crypter", "wildfire", "virustotal", "june", "august", "ivan", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HelloXD", "display_name": "HelloXD", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "MicroBackdoor", "display_name": "MicroBackdoor", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "URL": 1, "FileHash-MD5": 19, "FileHash-SHA1": 20, "FileHash-SHA256": 57, "email": 1, "hostname": 58 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a74840177e136a3b7488d1", "name": "Hello XD ransomware now drops a backdoor while encrypting", "description": "Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.\n\nFirst observed in November 2021, the particular family was based on the leaked source code of Babuk and engaged in a small number of double-extortion attacks where the threat actors stole corporate data before encrypting devices.\n\nAccording to a new report by Palo Alto Networks Unit 42, the malware's author has created a new encryptor that features custom packing for detection avoidance and encryption algorithm changes.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T14:22:56.316000", "tags": [ "helloxd", "cobalt strike", "microbackdoor", "babuk", "figure", "lockbit", "palo alto", "networks", "github account", "windows", "unit", "ghost", "ransomware", "alliance", "crypter", "wildfire", "virustotal", "june", "august", "ivan", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/", "https://www.bleepingcomputer.com/news/security/hello-xd-ransomware-now-drops-a-backdoor-while-encrypting/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HelloXD", "display_name": "HelloXD", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "MicroBackdoor", "display_name": "MicroBackdoor", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 268, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 20, "FileHash-SHA256": 57, "domain": 6, "email": 1, "hostname": 58 }, "indicator_count": 161, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a46e4397b6c746c5fd2b60", "name": "HelloXD", "description": "", "modified": "2022-07-11T00:03:00.528000", "created": "2022-06-11T10:28:19.286000", "tags": [ "malware", "infrastructure" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 57, "domain": 3, "hostname": 49 }, "indicator_count": 147, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1421 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a46e44df56e7fb13cba346", "name": "HelloXD", "description": "", "modified": "2022-07-11T00:03:00.528000", "created": "2022-06-11T10:28:20.932000", "tags": [ "malware", "infrastructure" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 57, "domain": 3, "hostname": 49 }, "indicator_count": 147, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1421 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6220a96f7c3dabb66a118a1e", "name": "Russian related IOCs", "description": "", "modified": "2022-04-01T00:01:54.852000", "created": "2022-03-03T11:41:35.379000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vtomljanovic", "id": "78099", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 1, "domain": 1003, "hostname": 11 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "1522 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.rules", "https://unit42.paloaltonetworks.com/helloxd-ransomware/", "June 13th, 2022 - CryptoGen Cyber Threat Intelligence - Backdoor Installed by HelloXD Ransomware on Windows and Linux Systems.pdf", "https://www.bleepingcomputer.com/news/security/hello-xd-ransomware-now-drops-a-backdoor-while-encrypting/", "HelloXD.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Malware Advisory" ], "malware_families": [ "Cobalt strike", "Helloxd", "Babuk", "Microbackdoor" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "6775b17c488523ee9d290afd", "name": "agressive extra", "description": "", "modified": "2025-03-17T22:57:49.933000", "created": "2025-01-01T21:19:56.847000", "tags": [], "references": [ "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.rules" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 35208, "URL": 79504, "domain": 19527, "hostname": 28058, "CVE": 9 }, "indicator_count": 162306, "is_author": false, "is_subscribing": null, "subscriber_count": 207, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63035726d6c09f92e570e9aa", "name": "HelloXD", "description": "", "modified": "2022-09-21T00:02:24.222000", "created": "2022-08-22T10:15:02.795000", "tags": [ "filehash256", "filehashmd5", "ip address", "filehashsha1", "domain" ], "references": [ "HelloXD.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Professionalservices-SOC", "id": "106940", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "domain": 3 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "630357283c362ea703661985", "name": "HelloXD", "description": "", "modified": "2022-09-21T00:02:24.222000", "created": "2022-08-22T10:15:04.773000", "tags": [ "filehash256", "filehashmd5", "ip address", "filehashsha1", "domain" ], "references": [ "HelloXD.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Professionalservices-SOC", "id": "106940", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "domain": 3 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63035728c7680b51c68c91cf", "name": "HelloXD", "description": "", "modified": "2022-09-21T00:02:24.222000", "created": "2022-08-22T10:15:04.601000", "tags": [ "filehash256", "filehashmd5", "ip address", "filehashsha1", "domain" ], "references": [ "HelloXD.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Professionalservices-SOC", "id": "106940", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "domain": 3 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62bb93605b7e027603286b09", "name": "Backdoor Installed by HelloXD Ransomware on Windows and Linux Systems", "description": "", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-28T23:48:48.559000", "tags": [], "references": [ "June 13th, 2022 - CryptoGen Cyber Threat Intelligence - Backdoor Installed by HelloXD Ransomware on Windows and Linux Systems.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "hostname": 49 }, "indicator_count": 226, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b97384b4717fb44c973d06", "name": "HelloXD Ransomware Uses Modified ClamAV Logo in Executables and Provides Tox Chat ID to Reach Attackers", "description": "HelloXD is a ransomware family performing double extortion attacks that were first observed in the wild on November 30, 2021. Multiple variants impacting Windows and Linux systems were observed. This ransomware family uses a modified ClamAV logo in their executables and prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.\n\nTox Chat ID used for negotiations\nThe ransomware creates an ID for the victim which has to be sent to the attacker to make it possible to identify the victim and provide a decryptor. The ransom note also instructs victims to download Tox and provides a Tox Chat ID to reach the threat actor. Tox is being used by other ransomware groups like LockBit 2.0 for negotiations.", "modified": "2022-07-27T00:02:05.219000", "created": "2022-06-27T09:08:20.335000", "tags": [ "malware", "infrastructure", "HelloXD", "Ransomware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 57, "FileHash-SHA256": 57, "domain": 3, "hostname": 49 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a7f3550c8cf623e805df62", "name": "Exposing HelloXD Ransomware and x4k", "description": "Unit 42, a Palo Alto Networks research team, has identified and identified the developer of the HelloXD ransomware family, which has been performing double extortion attacks in the wild from 2021 to 2022.", "modified": "2022-07-14T00:05:09.745000", "created": "2022-06-14T02:32:53.412000", "tags": [ "helloxd", "cobalt strike", "microbackdoor", "babuk", "lockbit", "ghost", "ransomware", "crypter", "august", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HelloXD", "display_name": "HelloXD", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "MicroBackdoor", "display_name": "MicroBackdoor", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 55, "domain": 6 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "1418 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a750a3149cfd7b2e600ea1", "name": "Resurface of HelloXD Ransomware targeting Windows and Linux Systems", "description": "Recently, a reemergence of a ransomware named HelloXD which initially surfaced in the wild in November 2021 was observed. HelloXD is a ransomware that performs double extortion attacks targeting Windows and Linux systems. HelloXD was seen to utilize multiple encryption algorithms such as Curve25519-Donna, modified HC-128, and Rabbit symmetric cipher to lock the victims\u2019 data for ransom.", "modified": "2022-07-13T14:04:24.570000", "created": "2022-06-13T14:58:43.644000", "tags": [], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 278, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "hostname": 49, "domain": 6, "FileHash-SHA256": 57 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 251, "modified_text": "1419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a6e06f1354cea3095da6b5", "name": "Exposing HelloXD Ransomware and x4k", "description": "Unit 42, a Palo Alto Networks research team, has identified and identified the developer of the HelloXD ransomware family, which has been performing double extortion attacks since November 2021, and is believed to be linked to x4k.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T06:59:59", "tags": [ "helloxd", "cobalt strike", "microbackdoor", "babuk", "figure", "lockbit", "palo alto", "networks", "github account", "windows", "unit", "ghost", "ransomware", "alliance", "crypter", "wildfire", "virustotal", "june", "august", "ivan", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HelloXD", "display_name": "HelloXD", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "MicroBackdoor", "display_name": "MicroBackdoor", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "URL": 1, "FileHash-MD5": 19, "FileHash-SHA1": 20, "FileHash-SHA256": 57, "email": 1, "hostname": 58 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a74840177e136a3b7488d1", "name": "Hello XD ransomware now drops a backdoor while encrypting", "description": "Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.\n\nFirst observed in November 2021, the particular family was based on the leaked source code of Babuk and engaged in a small number of double-extortion attacks where the threat actors stole corporate data before encrypting devices.\n\nAccording to a new report by Palo Alto Networks Unit 42, the malware's author has created a new encryptor that features custom packing for detection avoidance and encryption algorithm changes.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T14:22:56.316000", "tags": [ "helloxd", "cobalt strike", "microbackdoor", "babuk", "figure", "lockbit", "palo alto", "networks", "github account", "windows", "unit", "ghost", "ransomware", "alliance", "crypter", "wildfire", "virustotal", "june", "august", "ivan", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/", "https://www.bleepingcomputer.com/news/security/hello-xd-ransomware-now-drops-a-backdoor-while-encrypting/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HelloXD", "display_name": "HelloXD", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "MicroBackdoor", "display_name": "MicroBackdoor", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 268, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 20, "FileHash-SHA256": 57, "domain": 6, "email": 1, "hostname": 58 }, "indicator_count": 161, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "powershell.services", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "powershell.services", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780342489.6753483 }