{ "type": "Domain", "indicator": "ragebot.fun", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ragebot.fun", "alexa": "http://www.alexa.com/siteinfo/ragebot.fun", "indicator": "ragebot.fun", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4076975992, "indicator": "ragebot.fun", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "687a2cb559edf512d7f0646d", "name": "Old Miner, New Tricks.", "description": "The investigation into the Lcryx ransomware by the FortiCNAPP team reveals notable overlaps with the H2Miner crypto mining botnet, suggesting a collaborative effort or adaptation by threat actors to enhance financial gain. The Lcryx ransomware, particularly its new variant Lcrypt0rx, is identified as a VBScript-based ransomware first seen in November 2024, exhibiting anomalies indicating potential AI generation. Evidence includes function duplication, erroneous persistence mechanisms, flawed encryption logic, and malformed syntax. These indicators point to poorly optimized code generation and illogical behaviors within its execution.", "modified": "2025-08-17T10:03:51.060000", "created": "2025-07-18T11:15:01.770000", "tags": [ "fortiguard labs threat research", "lcrypt0rx", "h2miner", "fortinet", "kinsing", "fortigate", "fortimail", "disarm", "xor encryption", "h2miner threat", "ui interference", "cobalt strike", "cloud", "malware", "malicious", "powershell", "service" ], "references": [ "https://www.fortinet.com/blog/threat-research/old-miner-new-tricks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 23, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "CVE": 3, "domain": 12, "hostname": 1 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "289 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fb9e72bef22b43e0ce6b3", "name": "Lcryx Ransomware VBS Script: Tactics, Techniques, and IOC.", "description": "The Lcryx ransomware\u2019s VBS script, revealing its obfuscation techniques, execution flow, and persistence mechanisms. The analysis includes Indicators of Compromise (IOCs), behavioral patterns, and mitigation strategies to help defenders detect and prevent infections. Based on findings from Medium article.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:29:59.284000", "tags": [ "true", "createobject", "regsz", "regdword", "processfolder", "error resume", "vbcrlf", "false", "desktop", "next", "music", "loop", "amadey", "smokeloader", "ransomware", "powershell", "first", "open", "encrypt", "infect", "back", "download", "malicious", "rats", "djvu", "stealc", "privateloader", "lcryx", "lcryptorx", "hosted" ], "references": [ "https://medium.com/@shubhandrew/analysis-of-lcryx-ransomware-vbs-script-e34d2d2112f6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LCRYX", "display_name": "LCRYX", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "LCRYPTORX", "display_name": "LCRYPTORX", "target": null }, { "id": "Hosted", "display_name": "Hosted", "target": null }, { "id": "Smokeloader", "display_name": "Smokeloader", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "URL": 48, "hostname": 2, "FileHash-SHA256": 23 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.fortinet.com/blog/threat-research/old-miner-new-tricks", "https://medium.com/@shubhandrew/analysis-of-lcryx-ransomware-vbs-script-e34d2d2112f6" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Lcryptorx", "Amadey", "Hosted", "Smokeloader", "Lcryx" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "687a2cb559edf512d7f0646d", "name": "Old Miner, New Tricks.", "description": "The investigation into the Lcryx ransomware by the FortiCNAPP team reveals notable overlaps with the H2Miner crypto mining botnet, suggesting a collaborative effort or adaptation by threat actors to enhance financial gain. The Lcryx ransomware, particularly its new variant Lcrypt0rx, is identified as a VBScript-based ransomware first seen in November 2024, exhibiting anomalies indicating potential AI generation. Evidence includes function duplication, erroneous persistence mechanisms, flawed encryption logic, and malformed syntax. These indicators point to poorly optimized code generation and illogical behaviors within its execution.", "modified": "2025-08-17T10:03:51.060000", "created": "2025-07-18T11:15:01.770000", "tags": [ "fortiguard labs threat research", "lcrypt0rx", "h2miner", "fortinet", "kinsing", "fortigate", "fortimail", "disarm", "xor encryption", "h2miner threat", "ui interference", "cobalt strike", "cloud", "malware", "malicious", "powershell", "service" ], "references": [ "https://www.fortinet.com/blog/threat-research/old-miner-new-tricks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 23, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "CVE": 3, "domain": 12, "hostname": 1 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "289 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fb9e72bef22b43e0ce6b3", "name": "Lcryx Ransomware VBS Script: Tactics, Techniques, and IOC.", "description": "The Lcryx ransomware\u2019s VBS script, revealing its obfuscation techniques, execution flow, and persistence mechanisms. The analysis includes Indicators of Compromise (IOCs), behavioral patterns, and mitigation strategies to help defenders detect and prevent infections. Based on findings from Medium article.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:29:59.284000", "tags": [ "true", "createobject", "regsz", "regdword", "processfolder", "error resume", "vbcrlf", "false", "desktop", "next", "music", "loop", "amadey", "smokeloader", "ransomware", "powershell", "first", "open", "encrypt", "infect", "back", "download", "malicious", "rats", "djvu", "stealc", "privateloader", "lcryx", "lcryptorx", "hosted" ], "references": [ "https://medium.com/@shubhandrew/analysis-of-lcryx-ransomware-vbs-script-e34d2d2112f6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LCRYX", "display_name": "LCRYX", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "LCRYPTORX", "display_name": "LCRYPTORX", "target": null }, { "id": "Hosted", "display_name": "Hosted", "target": null }, { "id": "Smokeloader", "display_name": "Smokeloader", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "URL": 48, "hostname": 2, "FileHash-SHA256": 23 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ragebot.fun", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ragebot.fun", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780461771.7443125 }