{ "type": "Domain", "indicator": "render.game", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/render.game", "alexa": "http://www.alexa.com/siteinfo/render.game", "indicator": "render.game", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3538298855, "indicator": "render.game", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "66844266b18b359a3a385cf4", "name": "Alberta NDP", "description": "This pulse takes a peak into the Alberta NDP party and their current breach situation. The (original) purpose of this pulse was to further identify and characterize issues relating to the (still) ongoing UAlberta breach and to see if the Alberta NDP were impacted. Prepared this pulse to present to them as a component of it's relevancy to their own infrastructure (e.g. highlighting the privacy, safety, security implications for their party) as it was 2 months ago. Was told my contacts would be on vacation until September. It now seems during that waiting time much of the party and it's leaders have been breached/affected by similar malware & infostealers. Still waiting?", "modified": "2024-09-04T19:53:22.824000", "created": "2024-07-02T18:09:42.084000", "tags": [ "Hacked", "" ], "references": [ "https://www.virustotal.com/graph/embed/gc3d0a481dd64463a889ad9f206727d9d87db106da3c34deb922a2ce7837d6577?theme=dark", "https://www.virustotal.com/graph/embed/g99d61feda7554cba94972ae4110efe8acacfea236d6943d0bdc93dcbc7e9b60f?theme=dark", "https://www.virustotal.com/graph/embed/ga26f4bba58834344a271a36d59827ec2154f655df6324f939f674b0d49e1290a?theme=dark", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/summary", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/iocs", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/graph", "https://www.virustotal.com/gui/collection/e49552b5297eb28f2ec7245429e50fb363823c4683606ddb61c1d014b2238a6e", "type,id 000d161246615fb8d5b30411c753420f82a881a9d7750639bbace67e1bb270a0 001155a72482c2ddd750b1e9c28633a7e13228e4e2b05f0ba585a395ac852b49 0014425cb6011c2086b6aeca5eee11368431356a68d173c2ff7ffef327c0ba86 0018686a02600f7da1a3f0981ce78bb6982480b14130a0cc2b8c8401bc1b8449 003bfd323f6366ac283b9f922d942d7c8f6070a2f2b919a719af7fc8e7c77995 00434aa911043b208854236a41c8e7a284185710ff67b52eea9f538f4151fa28 0063c0019a4ec47bc251753be3aca37c0d84699d34a99df83963364fe640c795 00651f483b685736596ebc95817b01c34382a4691b81701cc", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/4b0d82fda81972be3f9373edf863a3bcf426aafc9a53927eedc0b694554de33f", "https://viz.greynoise.io/analysis/52a90c2d-0774-46cd-bb66-79cb82c903fe - 07.03.24", "https://www.ipvoid.com/whois/", "https://leakix.net/search?scope=leak&q=alberta.ca", "https://intelx.io/?s=albertandp.ca", "http://ci-www.threatcrowd.org/domain.php?domain=albertandp.ca", "https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&followup=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&ifkv=AdF4I74DbXz0axIgI_8-2HKe5uTaiHcEn5GDXdTMvWumG7pqQExSEV6IUvXUJDoG9Ra0ZgbhrlrC&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1391668132%3A1721034538211512&ddm=0", "" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Healthcare", "Education", "Technology", "Hospitality", "Finance", "Manufacturing", "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10030, "FileHash-MD5": 719, "FileHash-SHA1": 719, "FileHash-SHA256": 14832, "URL": 12538, "hostname": 10238, "CVE": 35, "email": 2, "CIDR": 847 }, "indicator_count": 49960, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "633 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ff8073d5ec6f25915eee77", "name": "confirmation spam email", "description": "Small sample of an email message that has passed through Gmail's phishing and spam filter. A confirmation email from both cashapp,costco, AceHardware,Walmart, Dicks Sporting Goods, with links hosted on Amazonaws. A common theme between all messages is that the contain a link to an amazon AWS. Redirecting to the launchstore[.]quest before reaching its final destination. Clearly marked phishing by VT, but not specific malware threat based on scans on Hybrid Analysis. (UPDATE) The latest entry is now classifed as malicious.\n\nUpdate Milwaukee power drill via Acehardware.\n\n\nSame MO. Amazon AWS link > Thelaunchstore[.]quest>jongberreta[.]com > positionspot.info\n\n\nUpdate 21/13:20 Added Walmart, Acehardware, Dicks sporting goods into the description above.", "modified": "2022-09-20T00:01:18.490000", "created": "2022-08-19T12:22:11.793000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "wow64", "windows nt", "get rd", "details", "request url", "format details", "request get", "raw hex", "ed bf", "c0 a8", "date", "accept", "hybrid", "close", "click", "hosts", "august", "general", "local", "strings", "suspicious", "hybrid analysis", "api key", "vetting process", "please note", "please", "urls", "javascript" ], "references": [ "https://www.virustotal.com/gui/url/914be00fdad8f3107346a98befe3f9479c22279fdde96f791335979535cb925a/details", "https://www.virustotal.com/gui/url/229900b7e2a264dac811b9600ab1c4b8bab8db66d36c991b04ff13989a9a762f/details", "https://hybrid-analysis.com/sample/9e96b4c177ce71ec5e8abe0f7bdd6c8ed3c30c2f8cc4d2b2f8cbd563baa4e21d", "https://hybrid-analysis.com/sample/0c4d6854d2c6e4fc7f5b27d00200b4f9e1dee0d83a253b8ed3f6628369ec53b2/62feba5605ed9d19656a2cc4", "https://www.virustotal.com/gui/url/85027244b8c9b054a86f6ff56c51d7de18b7575fada1a2132f6f766b95df022d/detection", "https://tria.ge/220820-cg7v8sddcm/behavioral1", "https://www.virustotal.com/gui/url/fb0d412d69fc02afac1be2a966500bc93e2fa01347e92bd5528f630bad921b5f?nocache=1", "https://www.virustotal.com/gui/url/c2053470f4ca4ae31a379e12f6cbc90cb0a60d2f038e57fdf20fe0344b8a30dd?nocache=1" ], "public": 1, "adversary": "Mazikeen", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "BraveHeart", "id": "123797", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-MD5": 274, "FileHash-SHA1": 256, "FileHash-SHA256": 267, "URL": 51, "domain": 96, "email": 18, "hostname": 59 }, "indicator_count": 1027, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "type,id 000d161246615fb8d5b30411c753420f82a881a9d7750639bbace67e1bb270a0 001155a72482c2ddd750b1e9c28633a7e13228e4e2b05f0ba585a395ac852b49 0014425cb6011c2086b6aeca5eee11368431356a68d173c2ff7ffef327c0ba86 0018686a02600f7da1a3f0981ce78bb6982480b14130a0cc2b8c8401bc1b8449 003bfd323f6366ac283b9f922d942d7c8f6070a2f2b919a719af7fc8e7c77995 00434aa911043b208854236a41c8e7a284185710ff67b52eea9f538f4151fa28 0063c0019a4ec47bc251753be3aca37c0d84699d34a99df83963364fe640c795 00651f483b685736596ebc95817b01c34382a4691b81701cc", "http://ci-www.threatcrowd.org/domain.php?domain=albertandp.ca", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/iocs", "https://hybrid-analysis.com/sample/0c4d6854d2c6e4fc7f5b27d00200b4f9e1dee0d83a253b8ed3f6628369ec53b2/62feba5605ed9d19656a2cc4", "https://www.virustotal.com/gui/url/229900b7e2a264dac811b9600ab1c4b8bab8db66d36c991b04ff13989a9a762f/details", "https://tria.ge/220820-cg7v8sddcm/behavioral1", "https://www.virustotal.com/gui/url/c2053470f4ca4ae31a379e12f6cbc90cb0a60d2f038e57fdf20fe0344b8a30dd?nocache=1", "https://leakix.net/search?scope=leak&q=alberta.ca", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06", "https://intelx.io/?s=albertandp.ca", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "https://www.ipvoid.com/whois/", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://www.virustotal.com/gui/url/85027244b8c9b054a86f6ff56c51d7de18b7575fada1a2132f6f766b95df022d/detection", "https://www.virustotal.com/gui/url/914be00fdad8f3107346a98befe3f9479c22279fdde96f791335979535cb925a/details", "https://www.virustotal.com/gui/collection/4b0d82fda81972be3f9373edf863a3bcf426aafc9a53927eedc0b694554de33f", "https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&followup=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&ifkv=AdF4I74DbXz0axIgI_8-2HKe5uTaiHcEn5GDXdTMvWumG7pqQExSEV6IUvXUJDoG9Ra0ZgbhrlrC&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1391668132%3A1721034538211512&ddm=0", "https://www.virustotal.com/graph/embed/g99d61feda7554cba94972ae4110efe8acacfea236d6943d0bdc93dcbc7e9b60f?theme=dark", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://viz.greynoise.io/analysis/52a90c2d-0774-46cd-bb66-79cb82c903fe - 07.03.24", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/graph", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://hybrid-analysis.com/sample/9e96b4c177ce71ec5e8abe0f7bdd6c8ed3c30c2f8cc4d2b2f8cbd563baa4e21d", "https://www.virustotal.com/gui/collection/e49552b5297eb28f2ec7245429e50fb363823c4683606ddb61c1d014b2238a6e", "https://www.virustotal.com/gui/url/fb0d412d69fc02afac1be2a966500bc93e2fa01347e92bd5528f630bad921b5f?nocache=1", "https://www.virustotal.com/graph/embed/gc3d0a481dd64463a889ad9f206727d9d87db106da3c34deb922a2ce7837d6577?theme=dark", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/summary", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.virustotal.com/graph/embed/ga26f4bba58834344a271a36d59827ec2154f655df6324f939f674b0d49e1290a?theme=dark", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Mazikeen" ], "malware_families": [], "industries": [ "Finance", "Government", "Hospitality", "Healthcare", "Manufacturing", "Retail", "Technology", "Telecommunications", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "66844266b18b359a3a385cf4", "name": "Alberta NDP", "description": "This pulse takes a peak into the Alberta NDP party and their current breach situation. The (original) purpose of this pulse was to further identify and characterize issues relating to the (still) ongoing UAlberta breach and to see if the Alberta NDP were impacted. Prepared this pulse to present to them as a component of it's relevancy to their own infrastructure (e.g. highlighting the privacy, safety, security implications for their party) as it was 2 months ago. Was told my contacts would be on vacation until September. It now seems during that waiting time much of the party and it's leaders have been breached/affected by similar malware & infostealers. Still waiting?", "modified": "2024-09-04T19:53:22.824000", "created": "2024-07-02T18:09:42.084000", "tags": [ "Hacked", "" ], "references": [ "https://www.virustotal.com/graph/embed/gc3d0a481dd64463a889ad9f206727d9d87db106da3c34deb922a2ce7837d6577?theme=dark", "https://www.virustotal.com/graph/embed/g99d61feda7554cba94972ae4110efe8acacfea236d6943d0bdc93dcbc7e9b60f?theme=dark", "https://www.virustotal.com/graph/embed/ga26f4bba58834344a271a36d59827ec2154f655df6324f939f674b0d49e1290a?theme=dark", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/summary", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/iocs", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/graph", "https://www.virustotal.com/gui/collection/e49552b5297eb28f2ec7245429e50fb363823c4683606ddb61c1d014b2238a6e", "type,id 000d161246615fb8d5b30411c753420f82a881a9d7750639bbace67e1bb270a0 001155a72482c2ddd750b1e9c28633a7e13228e4e2b05f0ba585a395ac852b49 0014425cb6011c2086b6aeca5eee11368431356a68d173c2ff7ffef327c0ba86 0018686a02600f7da1a3f0981ce78bb6982480b14130a0cc2b8c8401bc1b8449 003bfd323f6366ac283b9f922d942d7c8f6070a2f2b919a719af7fc8e7c77995 00434aa911043b208854236a41c8e7a284185710ff67b52eea9f538f4151fa28 0063c0019a4ec47bc251753be3aca37c0d84699d34a99df83963364fe640c795 00651f483b685736596ebc95817b01c34382a4691b81701cc", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/4b0d82fda81972be3f9373edf863a3bcf426aafc9a53927eedc0b694554de33f", "https://viz.greynoise.io/analysis/52a90c2d-0774-46cd-bb66-79cb82c903fe - 07.03.24", "https://www.ipvoid.com/whois/", "https://leakix.net/search?scope=leak&q=alberta.ca", "https://intelx.io/?s=albertandp.ca", "http://ci-www.threatcrowd.org/domain.php?domain=albertandp.ca", "https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&followup=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&ifkv=AdF4I74DbXz0axIgI_8-2HKe5uTaiHcEn5GDXdTMvWumG7pqQExSEV6IUvXUJDoG9Ra0ZgbhrlrC&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1391668132%3A1721034538211512&ddm=0", "" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Healthcare", "Education", "Technology", "Hospitality", "Finance", "Manufacturing", "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10030, "FileHash-MD5": 719, "FileHash-SHA1": 719, "FileHash-SHA256": 14832, "URL": 12538, "hostname": 10238, "CVE": 35, "email": 2, "CIDR": 847 }, "indicator_count": 49960, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "633 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ff8073d5ec6f25915eee77", "name": "confirmation spam email", "description": "Small sample of an email message that has passed through Gmail's phishing and spam filter. A confirmation email from both cashapp,costco, AceHardware,Walmart, Dicks Sporting Goods, with links hosted on Amazonaws. A common theme between all messages is that the contain a link to an amazon AWS. Redirecting to the launchstore[.]quest before reaching its final destination. Clearly marked phishing by VT, but not specific malware threat based on scans on Hybrid Analysis. (UPDATE) The latest entry is now classifed as malicious.\n\nUpdate Milwaukee power drill via Acehardware.\n\n\nSame MO. Amazon AWS link > Thelaunchstore[.]quest>jongberreta[.]com > positionspot.info\n\n\nUpdate 21/13:20 Added Walmart, Acehardware, Dicks sporting goods into the description above.", "modified": "2022-09-20T00:01:18.490000", "created": "2022-08-19T12:22:11.793000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "wow64", "windows nt", "get rd", "details", "request url", "format details", "request get", "raw hex", "ed bf", "c0 a8", "date", "accept", "hybrid", "close", "click", "hosts", "august", "general", "local", "strings", "suspicious", "hybrid analysis", "api key", "vetting process", "please note", "please", "urls", "javascript" ], "references": [ "https://www.virustotal.com/gui/url/914be00fdad8f3107346a98befe3f9479c22279fdde96f791335979535cb925a/details", "https://www.virustotal.com/gui/url/229900b7e2a264dac811b9600ab1c4b8bab8db66d36c991b04ff13989a9a762f/details", "https://hybrid-analysis.com/sample/9e96b4c177ce71ec5e8abe0f7bdd6c8ed3c30c2f8cc4d2b2f8cbd563baa4e21d", "https://hybrid-analysis.com/sample/0c4d6854d2c6e4fc7f5b27d00200b4f9e1dee0d83a253b8ed3f6628369ec53b2/62feba5605ed9d19656a2cc4", "https://www.virustotal.com/gui/url/85027244b8c9b054a86f6ff56c51d7de18b7575fada1a2132f6f766b95df022d/detection", "https://tria.ge/220820-cg7v8sddcm/behavioral1", "https://www.virustotal.com/gui/url/fb0d412d69fc02afac1be2a966500bc93e2fa01347e92bd5528f630bad921b5f?nocache=1", "https://www.virustotal.com/gui/url/c2053470f4ca4ae31a379e12f6cbc90cb0a60d2f038e57fdf20fe0344b8a30dd?nocache=1" ], "public": 1, "adversary": "Mazikeen", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "BraveHeart", "id": "123797", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-MD5": 274, "FileHash-SHA1": 256, "FileHash-SHA256": 267, "URL": 51, "domain": 96, "email": 18, "hostname": 59 }, "indicator_count": 1027, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "render.game", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "render.game", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780248038.9770017 }