{ "type": "Domain", "indicator": "resource.name", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/resource.name", "alexa": "http://www.alexa.com/siteinfo/resource.name", "indicator": "resource.name", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3860992617, "indicator": "resource.name", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fdb8fe7f8e1c50fff4e873", "name": "Yara Dump Abuse.ch", "description": "Abuse.ch dump of all community yara uploads.", "modified": "2024-04-21T16:01:18.859000", "created": "2024-03-22T16:59:42.421000", "tags": [ "description", "detects coyote", "yashraj solanki", "cyber threat", "bridewell", "reference", "hash", "rustynoob619", "drainlog", "signalchromeelf", "falsefront", "peach sandstorm", "credits", "vt sample", "twitter", "tlx0b", "diffquasarrat01", "tx0b", "detects tiny", "turla implant", "turla apt", "detect pe", "pyinstaller", "exodus", "binance", "metamask", "binancewallet", "phantom", "metawallet", "temple", "steam", "detects python", "stealer", "temp", "dword ptr", "ldrdata", "cc by", "orderlinks", "ff ff", "rabbithuntcls", "matanet", "b2 c7", "d4 dd", "ee f1", "aa c7", "e4 f8", "vidar binary", "e8 d1", "e8 bf", "e8 e1", "e8 a3", "f9 ff", "c0 xor", "bitter", "tapt17", "cve20180798", "team", "sifalconteam", "white", "bitter maldoc", "loadlibrarya", "shellexecutea", "bader", "orign logger", "cc bysa", "originlogger", "logsettings", "assembly", "binder", "installation", "options", "downloader", "detects elusive", "stealer malware", "yogesh londhe", "originbot", "bitsight", "cc byncsa", "windows nt", "win64", "post", "tripledes", "detects", "packages", "findfirstfile", "findnextfile", "heapwalk", "mapviewoffile", "switchtofiber", "deletefiber", "findfirstfileex", "writefile", "raiseexception", "matthew", "embeeresearch", "stealc", "cc bync", "find bumblebee", "mmmapiospace", "physicalmemory", "spica backdoor", "callisto", "rust", "apt coldriver", "go bear", "backdoor", "kimsuky", "pe export", "file", "hunting rule", "lockbit", "your", "detects rusty", "bcryptgenrandom", "chat3ux", "lucastealer", "lucasstealer", "credit", "laplas clipper", "debug", "first stage", "second stage", "desktop", "ransomware", "itssoeasy", "keyprocedure", "base64", "decrypt", "whoops", "identifier", "l2lkzw50awzpzxi", "lml0c3nvzwfzeq", "nymaim", "chaitanya", "nymaim loader", "detects troll", "clear", "andre gironda", "andregironda", "detects dice", "loader malware", "fin7 apt", "sekoia", "bitcoin genesis", "block", "eaxecx", "eaxecx1", "edx4", "trojan upatre", "detects upatre", "trojan variant", "host", "user execution", "module load", "t1064", "lodsb", "chinise", "helpcf", "legalcopyright", "detects pikabot", "pe import", "pr0xylife", "embeddedrtffile", "dhaeyerwolf", "cve202336884", "d0 cf", "e0 a1", "word", "msworddoc", "powerpoint", "microsoft excel", "detect", "itssoeasya", "e3 bd", "a4 c4", "guid", "onenote", "emotet", "view", "phorpiex", "publichtml", "htdocs", "httpdocs", "share", "income", "c start", "c rmdir", "detects neshta", "belarusian file", "delphi", "belarus", "apanas", "main0x5", "actor", "author", "jpg20001", "jpg20002", "ff d8", "select", "limerat", "detects lime", "rat malware", "f sc", "onlogon rl", "highest", "pstart", "khtml", "gecko", "service", "pxor", "ff c", "raccoonv2", "yara", "detects raccoon", "stealer version", "recordbreaker", "industrialspy", "storm0978", "magicmsg", "magiceml", "magicics", "appointment", "susuncinemail", "looks", "unc string", "magic", "virtualprotect", "amadey", "c2 traffic", "af09", "support", "android malware", "microsoft", "android support", "library", "p4nd3m1cb0y", "vxlangpacker", "vxlang", "released", "threat actor", "lazarus", "baoshengbincumt", "pecompact2", "code00401000 b8", "code00401005", "code00401006", "code0040100d", "code00401014", "code00401016", "rndhex", "rndchar", "xorcrypt", "tofsee malware", "f6 d9", "c1 eb", "c0 e1", "f7 fb", "detects mimic", "mimic", "delete shadow", "copies", "loading", "news penguin", "pakistan", "mustang panda", "ta416", "new year", "themed campaign", "smica83", "suyog41", "file hash", "detects planet", "source", "filehash", "go buildinf", "upx0", "sendhttprequest", "detects lnk", "matches", "lnk dropper", "apt backdoor", "ding2", "ding1", "ankit anubhav", "vbscripts", "a rule", "cryptderivekey", "size", "lockbit black", "version", "high entropy", "july", "wingsofgod", "windows version", "wograt malware", "developed", "maas loader", "ebpvar8", "byte ptr", "ebpvar10", "xor al", "trojan darkme", "detects darkme", "xchg eax", "cmpsd", "esi8", "fadd", "detects hydra", "uninstall", "detects x86", "bifrost rat", "targeting linux", "falcon", "detects zip", "cve202338831", "winrar", "exploit", "t1203", "crimeware", "lnkheader", "isolnkjscmddll", "detects iso", "gcleaner", "accept", "c taskkill", "http analyzer", "wireshark", "networkminer", "internalname", "detects tuga", "arefileapisansi", "getusernamew", "virtualfree", "closehandle", "blackberry", "rule", "matanbuchusmsi2", "matanbuchus msi", "html smuggling", "ta570", "qakbot", "research", "find mx", "mandafirma", "firmasanta", "actualiza", "attempts", "pikabot maldoc", "zip file", "x73x70x6cx69x74", "x73x6cx69x63x65", "slice", "x63x61x6cx6c", "computeus7", "new code", "header", "web client", "download data", "qakbot new", "campaign iso", "cd001", "unicode file", "windows", "systemroot", "ijg jpeg", "cleandir", "ssh hi", "change config", "stop vmx", "kill vmx", "grep", "sfx archive", "setup", "faild", "hijacjbmppath", "unexist", "sendparam", "injector", "qbot", "detects zipline", "procselfexe", "rtlallocateheap", "detects strela", "hook", "detects office", "html injection", "ee df", "df ee", "nicklas keijser", "truesec", "detection", "babuk", "does", "whole", "a7 dc", "eb be", "detects phobos", "romania", "rekoobe linux", "ab cd", "dc ba", "f0 e1", "d2 c3", "encrypt", "sosemanuk", "findcrypt3 rule", "l1522", "b5 cd", "cc de", "eb b5", "detects malware", "romcom threat", "naumovax", "ordinal", "ghislerstealer1", "ghisler golang", "go stealer", "post sendlog", "userid http", "switchtothread", "ghisler", "note", "ransomwareslug", "slug ransomware", "contact", "anydesk windows", "roth", "anydesk", "scarecrow", "gogc", "state", "aurora stealer", "user datalocal", "reconnect", "user", "screenshot", "crypto", "billy austin", "detects tofsee", "gheg", "tofsee", "outlookbnd", "outlookmid", "telegram", "xml manifest", "rise pro", "pe rich", "false", "applaunch", "yarahub", "c1 e1", "e3 ff", "windarkgate", "hotels", "asyncrat", "azaz09", "malicious pypi", "lazarus group", "pdb paths", "defender", "windefend", "maintenance", "disabledefender", "files", "center", "setservice name", "refresh", "button", "press", "install", "extract", "browse", "winrar sfx", "x0dn", "getserver", "c0 eb", "c0 f7", "cf ff", "c3 b8", "f8 b9", "ff e7", "russianpanda9xx", "detects wiki", "loader", "thanks", "mangusta", "final payload", "trojan", "brazil", "icedidiso", "icedid iso", "busybox reverse", "shell", "heapbufferptr", "marc salinas", "checkpoint", "bumblebee", "call", "getprocessheap", "xor edx", "heapalloc", "zander work", "pythonmasepie", "masepie malware", "python script", "ascii", "buffersize", "guidwsf", "vbscript", "variant", "ta570ta577", "d8 a7", "ae b1", "regdelete", "involves", "tok1", "look", "goodwarehash", "cve202230190", "directory", "relationships", "targetmode", "xor ax", "c3 f7", "ff d6", "wallet", "enkrypt", "braavos", "exodus web3", "trust wallet", "tronium", "opera wallet", "detects xeno", "ransomware lnk", "windows update", "mutexx", "usbs", "appmutex", "getencoderinfo", "stobs64", "aesdecryptor", "aesencryptor", "indate", "ping", "agent tesla", "identify", "anyburn", "nils kuhnert", "isos", "avemaria", "persistence", "midgetporn", "danabot122023", "russianpanda", "danabot", "anfam17", "varp0s", "modification", "linuxmalware", "detect linux", "linux", "mac file", "defense evasion", "b7 fe", "ca ef", "dll loader", "nspx30 implant", "black wood", "detects white", "snake stealer", "downloaddata", "detects ov3r", "facebook ads", "error", "response", "task", "download", "execute", "listen", "modernloader", "b6 c0", "icedid family", "b6 f2", "b6 c9", "f7 f5", "fe c3", "b6 db", "b6 d1", "winhttpconnect", "null terminator", "regex", "xc6x85", "xc6x84x24", "xc6x45", "xc7x45", "xffxff", "xffxffx00", "esp0bh", "playransomware", "detects play", "mickal walter", "itracing", "opaquekeyblob", "open source", "brecht sanders", "pe imphash", "phemedrone", "antivm", "strelastealer", "studio", "strela", "erbium stealer", "file type", "amadey bot", "samples", "almond rat", "qi anxin", "sean dalnodar", "detects rwxs", "bill demirkapi", "zig zig", "zigrich", "zpaq", "zpaq alg", "a2 f1", "b9 de", "b8 f4", "fa ff", "developer", "maael hoerz", "ransomware iso", "iso magic", "dos mode", "office", "malware", "powershell", "sub autoopen", "getobject", "batch", "detects custom", "abcd", "detects reverse", "manifests", "entrypoint", "qakbotwsfloader", "wsf loader", "qakbot dll", "request", "f8 c6", "addr", "limeratadmin", "minning", "lu0bot malware", "winexec", "exitprocess", "callbyname", "companyname", "filedescription", "productname", "getmacid", "proofpoint", "form", "dfir report", "yara rule", "set author", "date", "bazar", "rule set", "search", "parella javan", "exotismwaura", "tmptmpy8thnb", "openslpport", "binsh", "httpserver", "postserver", "detects krusty", "synacktiv", "watchdog module", "remcos", "caliber", "caliber stealer", "lure", "connect", "javascript", "pngs", "detects nevada", "shadow", "detects stealc", "sampletest", "tested", "imminentplugins", "battery", "ram usage", "graphics card", "firewall", "antivirus", "mac address", "internetopenurl", "httpqueryinfo", "deletefile", "openprocess", "process32first", "process32next", "shellexecute", "push", "xor eax", "ff5508", "ff15", "felix bilstein", "disclaimer", "disassembly", "malpedia", "alexanderhatala", "paas", "antibots7", "erbiumloader", "detects erbium", "detects qbot", "html", "uesdb", "vuvzrejc", "cjerzvuv", "ihimerwp", "globalnet", "originloader", "vidar" ], "references": [ "DLL_BankingTrojan_Coyote_Feb2024.yar", "Dll_Backdoor_FalseFront_Jan2024.yar", "Diff_QuasarRAT_01.yar", "DLL_TinyTurla_Strings_Feb2024.yar", "globalnet_files.yar", "EXE_Stealer_Atlantida.yar", "EXE_Python_Stealer_Jan2024.yar", "meth_peb_parsing.yar", "RABBITHUNT_cls.yar", "vidar_stealer_unpacked.yar", "APT_Bitter_Maldoc_Verify.yar", "win_origin_logger_b5c8.yar", "EXE_Stealer_Elusive_Feb2024.yar", "win_originbot.yar", "SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar", "bumblebee_win_generic.yar", "yarahub_win_stealc_bytecodes_oct_2023.yar", "loader_win_bumblebee.yar", "signed_sys_with_vulnerablity.yar", "EXE_Backdoor_Rust_March2024.yar", "EXE_Backdoor_GoBear_Feb2024.yar", "MALWARE_APT29_SVG_Delivery_Jul23.yar", "lockbitblack_ransomnote.yar", "EXE_Stealer_RustyStealer_Feb2024.yar", "LucaStealer.yar", "win_laplas_clipper_9c96.yar", "koi_loader.yar", "ItsSoEasy_Ransomware_C_Var.yar", "Nymaim.yar", "EXE_Stealer_TrollStealer_Feb2024.yar", "PseudoManuscriptLoader.yar", "SVCReady_Packed.yar", "DLL_DiceLoader_Fin7_Feb2024.yar", "win_bitcoin_genesis_b9_ce9f.yar", "WIN32_MAL_TROJ_UPATRE_SMBG.yar", "yes.yar", "DLL_Unknown_China_Feb2024.yar", "DLL_Loader_Pikabot_March2024.yar", "Embedded_RTF_File.yar", "yarahub_win_njrat_bytecodes_V2_oct_2023.yar", "ItsSoEasy_Ransomware_basic.yar", "MALWARE_Emotet_OneNote_Delivery_vbs_Mar23.yar", "win_phorpiex_a_84fc.yar", "EXE_Virus_Neshta_March2024.yar", "meth_get_eip.yar", "DLL_Loader_Wineloader_March2024.yar", "OneNote_EmbeddedFiles_NoPictures.yar", "LimeRAT.yar", "privateloader.yar", "RaccoonV2.yar", "MALWARE_Storm0978_Underground_Ransomware_Jul23.yar", "SUS_UNC_InEmail.yar", "redline_win_generic.yar", "win_amadey_a9f4.yar", "Android_Backdoor_Xamalicious.yar", "VxLang_Packer.yar", "DLL_North_Korean_Lazarus_March2024.yar", "pe_packer_pecompact2.yar", "win_tofsee_bot.yar", "crashedtech_loader.yar", "EXE_Ransomware_Mimic.yar", "DLL_News_Penguin_Feb2024.yar", "DLL_Mustang_Panda_March2024.yar", "EXE_Stealer_Nightingale_Imphash_Jan2024.yar", "EXE_Stealer_Nightingale_Jan2024.yar", "EXE_Stealer_Planet_March2024.yar", "LNK_Dropper_Russian_APT_Feb2024.yar", "Chinese_APT_Backdoor.yar", "Guloader_VBScript.yar", "bruteratelc4.yar", "RANSOM_Lockbit_Black_Packer.yar", "SocGholish_Variant_B.yar", "DLL_RAT_WogRAT_March2024.yar", "win_matanbuchus.yar", "WIN32_MAL_TROJ_DARKME.yar", "Android_BankingTrojan_Hydra.yar", "ELF_RAT_Bifrost_March2024.yar", "EXPLOIT_WinRAR_CVE_2023_38831_Aug23.yar", "ISO_LNK_JS_CMD_DLL.yar", "win_gcleaner_de41.yar", "ItsSoEasy_Ransomware.yar", "EXE_Ransomware_Tuga_March2024.yar", "RABBITHUNT_loader.yar", "LockBit3_ransomware.yar", "Matanbuchus_MSI_2.yar", "MX_fin_custom_allakore_rat.yar", "PikaBot_Stage1_20240222.yar", "Powerpoint_Code_Execution.yar", "Qakbot_IsoCampaign.yar", "RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar", "SelfExtractingRAR.yar", "PUPPETLOADER_loader.yar", "unpacked_qbot.yar", "ELF_Backdoor_ZipLine_Feb2024.yar", "win_colibriloader.yar", "win_strelastealer.yar", "android_apk_hook.yar", "MALWARE_Storm0978_HTML_PROTHANDLER_Jul23.yar", "babuk_copycat_esxi.yar", "EXE_Ransomware_Phobos_Feb2024.yar", "elf_rekoobe_b3_06c9.yar", "RANSOM_ESXiArgs_Ransomware_Encryptor_Feb23.yar", "EXE_Trojan_RomCom_Feb2024.yar", "EXE_Unknown_Backdoor_March2024.yar", "BruteRatelConfig.yar", "GHISLER_Stealer_1.yar", "pe_no_import_table.yar", "lnk_from_chinese.yar", "Ransomware_SLug.yar", "Sus_AnyDesk_Attempts_Feb2024.yar", "SUSP_ZIP_LNK_PhishAttachment.yar", "ScareCrow_Malware.yar", "win_aurora_stealer_a_706a.yar", "tofsee_yhub.yar", "win_xfiles_stealer_a8b373fb.yar", "EXE_Stealer_RisePro_Jan2024.yar", "AppLaunch.yar", "PassProtected_ZIP_ISO_file.yar", "Win_DarkGate.yar", "LATAMHotel_Obfuscated_BAT.yar", "DLL_PyPi_Loader_Lazarus_March2024.yar", "Disable_Defender.yar", "sfx_pdb_winrar_restrict.yar", "Detect_SliverFox_String.yar", "EXE_Stealer_CryptBot_March2024.yar", "DLL_TinyTurla_PE_Properties_Feb2024.yar", "EXE_Loader_WikiLoader_Feb2024.yar", "DLL_Banking_Trojan_Chavecloak_March2024.yar", "IcedID_ISO.yar", "ELF_Implant_COATHANGER_Feb2024.yar", "malware_bumblebee_packed.yar", "LockbitBlack_Loader.yar", "Python_MasePie.yar", "MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar", "QakBot_OneNote_Loader.yar", "Old_Code__Signature_AnyDesk_Feb2024.yar", "SUSP_Doc_WordXMLRels_May22.yar", "vulnerablity_driver2_PhysicalMemory.yar", "win_colibriloader_unpacked.yar", "win_vidar_a_a901.yar", "DLL_RAT_Xeno_Feb2024.yar", "RANSOM_Magniber_LNK_Jan23.yar", "win_xwormmm_s1_6f74.yar", "WIN32_MALWR_POSSIBLE_EMOTET_07_20.yar", "AgentTesla_DIFF_Common_Strings_01.yar", "anyburn_iso_with_date.yar", "avemaria_rat_yhub.yar", "DanaBot_12_2023.yar", "detect_Redline_Stealer_V2.yar", "ELF_RANSOMWARE_BLACKCAT.yar", "DLL_Loader_BlackWood_APT_Jan2024.yar", "EXE_Stealer_WhiteSnake_Jan2024.yar", "DLL_Stealer_Ov3rStealer_Feb2024.yar", "win_modern_loader_v1_01_1edf.yar", "Icedid_Unpacked_in_Memory.yar", "meth_stackstrings.yar", "Play_Ransomware.yar", "EXE_RAT_vxRAT_March2024.yar", "EXE_Stealer_Strela_March2024.yar", "sqlcmd_loader.yar", "EXE_Stealer_Phemedrone_Feb2024.yar", "StrelaStealer.yar", "win_erbium_stealer_a1_2622.yar", "UNKNOWN_News_Penguin_Feb2024.yar", "win_amadey_bytecodes_oct_2023.yar", "APT_Bitter_PDB_Paths.yar", "binaryObfuscation.yar", "detect_RWS_pe_rule.yar", "DLL_PyPi_Comebacker_Lazarus_March2024.yar", "Erbium_Stealer_Obfuscated.yar", "ZPAQ.yar", "SUSP_HxD_Icon_Anomaly_May23_1.yar", "ItsSoEasy_Ransomware_Go_Var.yar", "ItsSoEasy_Ransomware_Py_Var.yar", "RANSOM_Magniber_ISO_Jan23.yar", "MALWARE_OneNote_Delivery_Jan23.yar", "SocGholish_Custom_Base64.yar", "SocGholish_Obfuscated.yar", "SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar", "Qakbot_WSF_loader.yar", "win_agent_tesla_ab4444e9.yar", "win_danabot_cdf38827.yar", "win_limerat_j1_00cfd931.yar", "win_lu0bot_loader_1d53.yar", "agenttesla_win_generic.yar", "APT_Bitter_Almond_RAT.yar", "unk_phishkit.yar", "cobalt_strike_tmp01925d3f.yar", "detect_Redline_Stealer.yar", "hunt_redline_stealer.yar", "RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar", "ELF_Loader_KrustyLoader_Feb2024.yar", "yarahub_win_remcos_rat_unpacked_aug_2023.yar", "EXE_Stealer_44Caliber_Feb2024.yar", "MALWARE_Emotet_OneNote_Delivery_js_Mar23.yar", "EXE_Ransomware_Nevada_Feb2024.yar", "EXE_Stealer_StealC_Feb2024.yar", "win_imminentrat_j1_7e208e97.yar", "recordbreaker_win_generic.yar", "yarahub_win_mystic_stealer_bytecodes_sep_2023.yar", "win_qakbot_malped.yar", "PaaS_SpearPhishing_Feb23.yar", "Erbium_Loader.yar", "win_Eternity.yar", "QBOT_HTMLSmuggling_a.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlobalNet", "display_name": "GlobalNet", "target": null }, { "id": "OriginLoader", "display_name": "OriginLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Detects UPATRE", "display_name": "Detects UPATRE", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "twizz619", "id": "188477", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 138, "FileHash-SHA256": 181, "domain": 25, "YARA": 162, "URL": 23, "CVE": 4, "hostname": 10, "email": 4 }, "indicator_count": 788, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "APConfigurationSystem.tbd", "SUSP_HxD_Icon_Anomaly_May23_1.yar", "ELF_RAT_Bifrost_March2024.yar", "pf.os", "agenttesla_win_generic.yar", "ELF_Loader_KrustyLoader_Feb2024.yar", "win_qakbot_malped.yar", "win_colibriloader_unpacked.yar", "csh.cshrc", "resolv.conf", "aliases", "version.plist", "bashrc_Apple_Terminal", "AppleFirmwareUpdate.tbd", "win_colibriloader.yar", "ntp_opendirectory.conf", "paths", "Detect_SliverFox_String.yar", "virtual", "manpaths", "SocGholish_Custom_Base64.yar", "LimeRAT.yar", "Powerpoint_Code_Execution.yar", "DLL_Loader_Pikabot_March2024.yar", "bruteratelc4.yar", "com.apple.screensharing.agent.launchd", "custom_header_checks", "irbrc", "APT_Bitter_Almond_RAT.yar", "Driver_xst.h", "launchagents.txt", "bind.html", "rpc", "rtadvd.conf", "Erbium_Loader.yar", "csh.logout", "yarahub_win_remcos_rat_unpacked_aug_2023.yar", "content-negotiation.html", "MCAdvertiserAssistant.h", "RABBITHUNT_cls.yar", "win_bitcoin_genesis_b9_ce9f.yar", "win_xwormmm_s1_6f74.yar", "DLL_PyPi_Loader_Lazarus_March2024.yar", "ELF_RANSOMWARE_BLACKCAT.yar", "binaryObfuscation.yar", "MCError.h", "auto_home", "Android_BankingTrojan_Hydra.yar", "unk_phishkit.yar", "babuk_copycat_esxi.yar", "DLL_News_Penguin_Feb2024.yar", "MALWARE_Storm0978_Underground_Ransomware_Jul23.yar", "EXE_Backdoor_Rust_March2024.yar", "rc.netboot", "DLL_Stealer_Ov3rStealer_Feb2024.yar", "DLL_RAT_WogRAT_March2024.yar", "MALWARE_OneNote_Delivery_Jan23.yar", "WIN32_MAL_TROJ_DARKME.yar", "locate.rc", "ELF_Implant_COATHANGER_Feb2024.yar", "sharedFolders.csv", "MCPeerID.h", "DLL_Banking_Trojan_Chavecloak_March2024.yar", "CodeResources", "WIN32_MAL_TROJ_UPATRE_SMBG.yar", "yarahub_win_njrat_bytecodes_V2_oct_2023.yar", "Win_DarkGate.yar", "lockbitblack_ransomnote.yar", "index.html.en", "ZPAQ.yar", "process_list.txt", "main.cf.default", "MultipeerConnectivity.h", "ldap.h", "dbivport.h", "kexts.txt", "networks", "win_agent_tesla_ab4444e9.yar", "PassProtected_ZIP_ISO_file.yar", "hook_op_check.h", "LocalAuthentication.tbd", "win_aurora_stealer_a_706a.yar", "security_status.txt", "APT_Bitter_PDB_Paths.yar", "EXE_Stealer_44Caliber_Feb2024.yar", "protocols", "ftpusers", "MCNearbyServiceAdvertiser.h", "EXE_Unknown_Backdoor_March2024.yar", "pf.conf", "win_amadey_a9f4.yar", "meth_peb_parsing.yar", "EXE_Stealer_Phemedrone_Feb2024.yar", "find.codes", "EXE_Stealer_StealC_Feb2024.yar", "DLL_TinyTurla_Strings_Feb2024.yar", "privateloader.yar", "EXE_Stealer_Atlantida.yar", "sipConfig.csv", "Matanbuchus_MSI_2.yar", "QBOT_HTMLSmuggling_a.yar", "unpacked_qbot.yar", "pe_packer_pecompact2.yar", "win_originbot.yar", "DBIXS.h", "DLL_Unknown_China_Feb2024.yar", "SVCReady_Packed.yar", "MALWARE_APT29_SVG_Delivery_Jul23.yar", "man.conf", "EXE_Ransomware_Phobos_Feb2024.yar", "meth_get_eip.yar", "loader_win_bumblebee.yar", "redline_win_generic.yar", "EXE_RAT_vxRAT_March2024.yar", "makedefs.out", "avemaria_rat_yhub.yar", "dbixs_rev.h", "zprofile", "RABBITHUNT_loader.yar", "MALWARE_Storm0978_HTML_PROTHANDLER_Jul23.yar", "BUILDING", "mounts.txt", "crashes.csv", "module.modulemap", "main.cf.proto", "newsyslog.conf", "notify.conf", "EXE_Stealer_CryptBot_March2024.yar", "sudo_lecture", "managedPolicies.csv", "EXE_Ransomware_Nevada_Feb2024.yar", "postfix-files", "EXE_Backdoor_GoBear_Feb2024.yar", "EXE_Loader_WikiLoader_Feb2024.yar", "win_imminentrat_j1_7e208e97.yar", "DanaBot_12_2023.yar", "SUS_UNC_InEmail.yar", "DLL_RAT_Xeno_Feb2024.yar", "header_checks", "Old_Code__Signature_AnyDesk_Feb2024.yar", "LucaStealer.yar", "RANSOM_ESXiArgs_Ransomware_Encryptor_Feb23.yar", "EXE_Stealer_WhiteSnake_Jan2024.yar", "vidar_stealer_unpacked.yar", "rmtab", "Embedded_RTF_File.yar", "ISO_LNK_JS_CMD_DLL.yar", "LNK_Dropper_Russian_APT_Feb2024.yar", "csh.login", "hunt_redline_stealer.yar", "user_launchagents.txt", "DLL_Mustang_Panda_March2024.yar", "mail.rc", "Nymaim.yar", "MCBrowserViewController.h", "MCNearbyServiceBrowser.h", "arm64e-apple-macos.swiftinterface", "SelfExtractingRAR.yar", "detect_RWS_pe_rule.yar", "Info.plist", "WIN32_MALWR_POSSIBLE_EMOTET_07_20.yar", "EXPLOIT_WinRAR_CVE_2023_38831_Aug23.yar", "disk_structure.txt", "tofsee_yhub.yar", "custom-error.html", "EXE_Stealer_Nightingale_Imphash_Jan2024.yar", "ItsSoEasy_Ransomware_Go_Var.yar", "crashedtech_loader.yar", "zshrc_Apple_Terminal", "EXE_Stealer_RustyStealer_Feb2024.yar", "win_modern_loader_v1_01_1edf.yar", "win_amadey_bytecodes_oct_2023.yar", "users.csv", "MALWARE_Emotet_OneNote_Delivery_js_Mar23.yar", "ItsSoEasy_Ransomware_C_Var.yar", "detect_Redline_Stealer_V2.yar", "syslog.conf", "elf_rekoobe_b3_06c9.yar", "SocGholish_Variant_B.yar", "master.cf.proto", "generic", "APT_Bitter_Maldoc_Verify.yar", "chromeExtensions.csv", "gettytab", "relocated", "anyburn_iso_with_date.yar", "win_phorpiex_a_84fc.yar", "win_gcleaner_de41.yar", "VxLang_Packer.yar", "bashrc", "shells", "GHISLER_Stealer_1.yar", "usbDevices.csv", "autofs.conf", "Android_Backdoor_Xamalicious.yar", "kern_loader.conf", "ELF_Backdoor_ZipLine_Feb2024.yar", "systemControls.csv", "EXE_Trojan_RomCom_Feb2024.yar", "MCSession.h", "transport", "QakBot_OneNote_Loader.yar", "afpovertcp.cfg", "MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar", "SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar", "ScareCrow_Malware.yar", "Erbium_Stealer_Obfuscated.yar", "DLL_BankingTrojan_Coyote_Feb2024.yar", "Qakbot_WSF_loader.yar", "LockBit3_ransomware.yar", "PUPPETLOADER_loader.yar", "AirPlayReceiver.tbd", "vulnerablity_driver2_PhysicalMemory.yar", "EXE_Stealer_Elusive_Feb2024.yar", "DLL_DiceLoader_Fin7_Feb2024.yar", "win_strelastealer.yar", "SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar", "MultipeerConnectivity.apinotes", "launchD.csv", "Diff_QuasarRAT_01.yar", "x86_64-apple-ios-macabi.swiftinterface", "win_vidar_a_a901.yar", "applications.csv", "caching.html", "MALWARE_Emotet_OneNote_Delivery_vbs_Mar23.yar", "configuring.html", "DLL_TinyTurla_PE_Properties_Feb2024.yar", "EXE_Stealer_TrollStealer_Feb2024.yar", "win_matanbuchus.yar", "PikaBot_Stage1_20240222.yar", "PseudoManuscriptLoader.yar", "preboot_archive_errors.log", "Sus_AnyDesk_Attempts_Feb2024.yar", "UNKNOWN_News_Penguin_Feb2024.yar", "EXE_Python_Stealer_Jan2024.yar", "win_erbium_stealer_a1_2622.yar", "zshrc", "win_Eternity.yar", "canonical", "convenience.map", "DLL_North_Korean_Lazarus_March2024.yar", "lnk_from_chinese.yar", "apfs_boot_mount.tbd", "ItsSoEasy_Ransomware_basic.yar", "Admin.tbd", "win_danabot_cdf38827.yar", "yes.yar", "sqlcmd_loader.yar", "cobalt_strike_tmp01925d3f.yar", "x86_64-apple-macos.swiftinterface", "ttys", "ItsSoEasy_Ransomware.yar", "etcHosts.csv", "EXE_Stealer_RisePro_Jan2024.yar", "BruteRatelConfig.yar", "MultipeerConnectivity.tbd", "MX_fin_custom_allakore_rat.yar", "RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar", "master.cf", "Python_MasePie.yar", "master.cf.default", "LATAMHotel_Obfuscated_BAT.yar", "DLL_PyPi_Comebacker_Lazarus_March2024.yar", "RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar", "Chinese_APT_Backdoor.yar", "xtab", "RaccoonV2.yar", "asl.conf", "malware_bumblebee_packed.yar", "Dll_Backdoor_FalseFront_Jan2024.yar", "AppLaunch.yar", "systemInfo.csv", "ItsSoEasy_Ransomware_Py_Var.yar", "signed_sys_with_vulnerablity.yar", "certificates.csv", "lber.h", "win_tofsee_bot.yar", "sfx_pdb_winrar_restrict.yar", "IcedID_ISO.yar", "mounts.csv", "EXE_Ransomware_Mimic.yar", "EXE_Ransomware_Tuga_March2024.yar", "LockbitBlack_Loader.yar", "EXE_Virus_Neshta_March2024.yar", "StrelaStealer.yar", "SUSP_ZIP_LNK_PhishAttachment.yar", "EXE_Stealer_Strela_March2024.yar", "dbd_xsh.h", "passwd", "win_limerat_j1_00cfd931.yar", "kernel.csv", "LICENSE", "interfaceDetails.csv", "EXE_Stealer_Planet_March2024.yar", "bumblebee_win_generic.yar", "EXE_Stealer_Nightingale_Jan2024.yar", "RANSOM_Lockbit_Black_Packer.yar", "Disable_Defender.yar", "profile", "TLS_LICENSE", "win_origin_logger_b5c8.yar", "pe_no_import_table.yar", "koi_loader.yar", "android_apk_hook.yar", "SUSP_Doc_WordXMLRels_May22.yar", "recordbreaker_win_generic.yar", "RANSOM_Magniber_ISO_Jan23.yar", "smb.conf", "ntp.conf", "PaaS_SpearPhishing_Feb23.yar", "yarahub_win_mystic_stealer_bytecodes_sep_2023.yar", "detect_Redline_Stealer.yar", "meth_stackstrings.yar", "command_args.json", "auto_master", "battery.csv", "bounce.cf.default", "SocGholish_Obfuscated.yar", "DLL_Loader_BlackWood_APT_Jan2024.yar", "Ransomware_SLug.yar", "win_xfiles_stealer_a8b373fb.yar", "access", "win_lu0bot_loader_1d53.yar", "arm64e-apple-ios-macabi.swiftinterface", "main.cf", "Qakbot_IsoCampaign.yar", "launchdaemons.txt", "LDAP.tbd", "globalnet_files.yar", "group", "RANSOM_Magniber_LNK_Jan23.yar", "rc.common", "yarahub_win_stealc_bytecodes_oct_2023.yar", "Play_Ransomware.yar", "AOSKit.tbd", "Guloader_VBScript.yar", "interfaceAddrs.csv", "win_laplas_clipper_9c96.yar", "AgentTesla_DIFF_Common_Strings_01.yar", "sudoers", "diskEncryption.csv", "sharingPreferences.csv", "OneNote_EmbeddedFiles_NoPictures.yar", "Icedid_Unpacked_in_Memory.yar", "dbi_sql.h", "nfs.conf", "DLL_Loader_Wineloader_March2024.yar" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Originloader", "Globalnet", "Lastname", "Firstname", "Nymaim", "Detects upatre", "Vidar" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fdb8fe7f8e1c50fff4e873", "name": "Yara Dump Abuse.ch", "description": "Abuse.ch dump of all community yara uploads.", "modified": "2024-04-21T16:01:18.859000", "created": "2024-03-22T16:59:42.421000", "tags": [ "description", "detects coyote", "yashraj solanki", "cyber threat", "bridewell", "reference", "hash", "rustynoob619", "drainlog", "signalchromeelf", "falsefront", "peach sandstorm", "credits", "vt sample", "twitter", "tlx0b", "diffquasarrat01", "tx0b", "detects tiny", "turla implant", "turla apt", "detect pe", "pyinstaller", "exodus", "binance", "metamask", "binancewallet", "phantom", "metawallet", "temple", "steam", "detects python", "stealer", "temp", "dword ptr", "ldrdata", "cc by", "orderlinks", "ff ff", "rabbithuntcls", "matanet", "b2 c7", "d4 dd", "ee f1", "aa c7", "e4 f8", "vidar binary", "e8 d1", "e8 bf", "e8 e1", "e8 a3", "f9 ff", "c0 xor", "bitter", "tapt17", "cve20180798", "team", "sifalconteam", "white", "bitter maldoc", "loadlibrarya", "shellexecutea", "bader", "orign logger", "cc bysa", "originlogger", "logsettings", "assembly", "binder", "installation", "options", "downloader", "detects elusive", "stealer malware", "yogesh londhe", "originbot", "bitsight", "cc byncsa", "windows nt", "win64", "post", "tripledes", "detects", "packages", "findfirstfile", "findnextfile", "heapwalk", "mapviewoffile", "switchtofiber", "deletefiber", "findfirstfileex", "writefile", "raiseexception", "matthew", "embeeresearch", "stealc", "cc bync", "find bumblebee", "mmmapiospace", "physicalmemory", "spica backdoor", "callisto", "rust", "apt coldriver", "go bear", "backdoor", "kimsuky", "pe export", "file", "hunting rule", "lockbit", "your", "detects rusty", "bcryptgenrandom", "chat3ux", "lucastealer", "lucasstealer", "credit", "laplas clipper", "debug", "first stage", "second stage", "desktop", "ransomware", "itssoeasy", "keyprocedure", "base64", "decrypt", "whoops", "identifier", "l2lkzw50awzpzxi", "lml0c3nvzwfzeq", "nymaim", "chaitanya", "nymaim loader", "detects troll", "clear", "andre gironda", "andregironda", "detects dice", "loader malware", "fin7 apt", "sekoia", "bitcoin genesis", "block", "eaxecx", "eaxecx1", "edx4", "trojan upatre", "detects upatre", "trojan variant", "host", "user execution", "module load", "t1064", "lodsb", "chinise", "helpcf", "legalcopyright", "detects pikabot", "pe import", "pr0xylife", "embeddedrtffile", "dhaeyerwolf", "cve202336884", "d0 cf", "e0 a1", "word", "msworddoc", "powerpoint", "microsoft excel", "detect", "itssoeasya", "e3 bd", "a4 c4", "guid", "onenote", "emotet", "view", "phorpiex", "publichtml", "htdocs", "httpdocs", "share", "income", "c start", "c rmdir", "detects neshta", "belarusian file", "delphi", "belarus", "apanas", "main0x5", "actor", "author", "jpg20001", "jpg20002", "ff d8", "select", "limerat", "detects lime", "rat malware", "f sc", "onlogon rl", "highest", "pstart", "khtml", "gecko", "service", "pxor", "ff c", "raccoonv2", "yara", "detects raccoon", "stealer version", "recordbreaker", "industrialspy", "storm0978", "magicmsg", "magiceml", "magicics", "appointment", "susuncinemail", "looks", "unc string", "magic", "virtualprotect", "amadey", "c2 traffic", "af09", "support", "android malware", "microsoft", "android support", "library", "p4nd3m1cb0y", "vxlangpacker", "vxlang", "released", "threat actor", "lazarus", "baoshengbincumt", "pecompact2", "code00401000 b8", "code00401005", "code00401006", "code0040100d", "code00401014", "code00401016", "rndhex", "rndchar", "xorcrypt", "tofsee malware", "f6 d9", "c1 eb", "c0 e1", "f7 fb", "detects mimic", "mimic", "delete shadow", "copies", "loading", "news penguin", "pakistan", "mustang panda", "ta416", "new year", "themed campaign", "smica83", "suyog41", "file hash", "detects planet", "source", "filehash", "go buildinf", "upx0", "sendhttprequest", "detects lnk", "matches", "lnk dropper", "apt backdoor", "ding2", "ding1", "ankit anubhav", "vbscripts", "a rule", "cryptderivekey", "size", "lockbit black", "version", "high entropy", "july", "wingsofgod", "windows version", "wograt malware", "developed", "maas loader", "ebpvar8", "byte ptr", "ebpvar10", "xor al", "trojan darkme", "detects darkme", "xchg eax", "cmpsd", "esi8", "fadd", "detects hydra", "uninstall", "detects x86", "bifrost rat", "targeting linux", "falcon", "detects zip", "cve202338831", "winrar", "exploit", "t1203", "crimeware", "lnkheader", "isolnkjscmddll", "detects iso", "gcleaner", "accept", "c taskkill", "http analyzer", "wireshark", "networkminer", "internalname", "detects tuga", "arefileapisansi", "getusernamew", "virtualfree", "closehandle", "blackberry", "rule", "matanbuchusmsi2", "matanbuchus msi", "html smuggling", "ta570", "qakbot", "research", "find mx", "mandafirma", "firmasanta", "actualiza", "attempts", "pikabot maldoc", "zip file", "x73x70x6cx69x74", "x73x6cx69x63x65", "slice", "x63x61x6cx6c", "computeus7", "new code", "header", "web client", "download data", "qakbot new", "campaign iso", "cd001", "unicode file", "windows", "systemroot", "ijg jpeg", "cleandir", "ssh hi", "change config", "stop vmx", "kill vmx", "grep", "sfx archive", "setup", "faild", "hijacjbmppath", "unexist", "sendparam", "injector", "qbot", "detects zipline", "procselfexe", "rtlallocateheap", "detects strela", "hook", "detects office", "html injection", "ee df", "df ee", "nicklas keijser", "truesec", "detection", "babuk", "does", "whole", "a7 dc", "eb be", "detects phobos", "romania", "rekoobe linux", "ab cd", "dc ba", "f0 e1", "d2 c3", "encrypt", "sosemanuk", "findcrypt3 rule", "l1522", "b5 cd", "cc de", "eb b5", "detects malware", "romcom threat", "naumovax", "ordinal", "ghislerstealer1", "ghisler golang", "go stealer", "post sendlog", "userid http", "switchtothread", "ghisler", "note", "ransomwareslug", "slug ransomware", "contact", "anydesk windows", "roth", "anydesk", "scarecrow", "gogc", "state", "aurora stealer", "user datalocal", "reconnect", "user", "screenshot", "crypto", "billy austin", "detects tofsee", "gheg", "tofsee", "outlookbnd", "outlookmid", "telegram", "xml manifest", "rise pro", "pe rich", "false", "applaunch", "yarahub", "c1 e1", "e3 ff", "windarkgate", "hotels", "asyncrat", "azaz09", "malicious pypi", "lazarus group", "pdb paths", "defender", "windefend", "maintenance", "disabledefender", "files", "center", "setservice name", "refresh", "button", "press", "install", "extract", "browse", "winrar sfx", "x0dn", "getserver", "c0 eb", "c0 f7", "cf ff", "c3 b8", "f8 b9", "ff e7", "russianpanda9xx", "detects wiki", "loader", "thanks", "mangusta", "final payload", "trojan", "brazil", "icedidiso", "icedid iso", "busybox reverse", "shell", "heapbufferptr", "marc salinas", "checkpoint", "bumblebee", "call", "getprocessheap", "xor edx", "heapalloc", "zander work", "pythonmasepie", "masepie malware", "python script", "ascii", "buffersize", "guidwsf", "vbscript", "variant", "ta570ta577", "d8 a7", "ae b1", "regdelete", "involves", "tok1", "look", "goodwarehash", "cve202230190", "directory", "relationships", "targetmode", "xor ax", "c3 f7", "ff d6", "wallet", "enkrypt", "braavos", "exodus web3", "trust wallet", "tronium", "opera wallet", "detects xeno", "ransomware lnk", "windows update", "mutexx", "usbs", "appmutex", "getencoderinfo", "stobs64", "aesdecryptor", "aesencryptor", "indate", "ping", "agent tesla", "identify", "anyburn", "nils kuhnert", "isos", "avemaria", "persistence", "midgetporn", "danabot122023", "russianpanda", "danabot", "anfam17", "varp0s", "modification", "linuxmalware", "detect linux", "linux", "mac file", "defense evasion", "b7 fe", "ca ef", "dll loader", "nspx30 implant", "black wood", "detects white", "snake stealer", "downloaddata", "detects ov3r", "facebook ads", "error", "response", "task", "download", "execute", "listen", "modernloader", "b6 c0", "icedid family", "b6 f2", "b6 c9", "f7 f5", "fe c3", "b6 db", "b6 d1", "winhttpconnect", "null terminator", "regex", "xc6x85", "xc6x84x24", "xc6x45", "xc7x45", "xffxff", "xffxffx00", "esp0bh", "playransomware", "detects play", "mickal walter", "itracing", "opaquekeyblob", "open source", "brecht sanders", "pe imphash", "phemedrone", "antivm", "strelastealer", "studio", "strela", "erbium stealer", "file type", "amadey bot", "samples", "almond rat", "qi anxin", "sean dalnodar", "detects rwxs", "bill demirkapi", "zig zig", "zigrich", "zpaq", "zpaq alg", "a2 f1", "b9 de", "b8 f4", "fa ff", "developer", "maael hoerz", "ransomware iso", "iso magic", "dos mode", "office", "malware", "powershell", "sub autoopen", "getobject", "batch", "detects custom", "abcd", "detects reverse", "manifests", "entrypoint", "qakbotwsfloader", "wsf loader", "qakbot dll", "request", "f8 c6", "addr", "limeratadmin", "minning", "lu0bot malware", "winexec", "exitprocess", "callbyname", "companyname", "filedescription", "productname", "getmacid", "proofpoint", "form", "dfir report", "yara rule", "set author", "date", "bazar", "rule set", "search", "parella javan", "exotismwaura", "tmptmpy8thnb", "openslpport", "binsh", "httpserver", "postserver", "detects krusty", "synacktiv", "watchdog module", "remcos", "caliber", "caliber stealer", "lure", "connect", "javascript", "pngs", "detects nevada", "shadow", "detects stealc", "sampletest", "tested", "imminentplugins", "battery", "ram usage", "graphics card", "firewall", "antivirus", "mac address", "internetopenurl", "httpqueryinfo", "deletefile", "openprocess", "process32first", "process32next", "shellexecute", "push", "xor eax", "ff5508", "ff15", "felix bilstein", "disclaimer", "disassembly", "malpedia", "alexanderhatala", "paas", "antibots7", "erbiumloader", "detects erbium", "detects qbot", "html", "uesdb", "vuvzrejc", "cjerzvuv", "ihimerwp", "globalnet", "originloader", "vidar" ], "references": [ "DLL_BankingTrojan_Coyote_Feb2024.yar", "Dll_Backdoor_FalseFront_Jan2024.yar", "Diff_QuasarRAT_01.yar", "DLL_TinyTurla_Strings_Feb2024.yar", "globalnet_files.yar", "EXE_Stealer_Atlantida.yar", "EXE_Python_Stealer_Jan2024.yar", "meth_peb_parsing.yar", "RABBITHUNT_cls.yar", "vidar_stealer_unpacked.yar", "APT_Bitter_Maldoc_Verify.yar", "win_origin_logger_b5c8.yar", "EXE_Stealer_Elusive_Feb2024.yar", "win_originbot.yar", "SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar", "bumblebee_win_generic.yar", "yarahub_win_stealc_bytecodes_oct_2023.yar", "loader_win_bumblebee.yar", "signed_sys_with_vulnerablity.yar", "EXE_Backdoor_Rust_March2024.yar", "EXE_Backdoor_GoBear_Feb2024.yar", "MALWARE_APT29_SVG_Delivery_Jul23.yar", "lockbitblack_ransomnote.yar", "EXE_Stealer_RustyStealer_Feb2024.yar", "LucaStealer.yar", "win_laplas_clipper_9c96.yar", "koi_loader.yar", "ItsSoEasy_Ransomware_C_Var.yar", "Nymaim.yar", "EXE_Stealer_TrollStealer_Feb2024.yar", "PseudoManuscriptLoader.yar", "SVCReady_Packed.yar", "DLL_DiceLoader_Fin7_Feb2024.yar", "win_bitcoin_genesis_b9_ce9f.yar", "WIN32_MAL_TROJ_UPATRE_SMBG.yar", "yes.yar", "DLL_Unknown_China_Feb2024.yar", "DLL_Loader_Pikabot_March2024.yar", "Embedded_RTF_File.yar", "yarahub_win_njrat_bytecodes_V2_oct_2023.yar", "ItsSoEasy_Ransomware_basic.yar", "MALWARE_Emotet_OneNote_Delivery_vbs_Mar23.yar", "win_phorpiex_a_84fc.yar", "EXE_Virus_Neshta_March2024.yar", "meth_get_eip.yar", "DLL_Loader_Wineloader_March2024.yar", "OneNote_EmbeddedFiles_NoPictures.yar", "LimeRAT.yar", "privateloader.yar", "RaccoonV2.yar", "MALWARE_Storm0978_Underground_Ransomware_Jul23.yar", "SUS_UNC_InEmail.yar", "redline_win_generic.yar", "win_amadey_a9f4.yar", "Android_Backdoor_Xamalicious.yar", "VxLang_Packer.yar", "DLL_North_Korean_Lazarus_March2024.yar", "pe_packer_pecompact2.yar", "win_tofsee_bot.yar", "crashedtech_loader.yar", "EXE_Ransomware_Mimic.yar", "DLL_News_Penguin_Feb2024.yar", "DLL_Mustang_Panda_March2024.yar", "EXE_Stealer_Nightingale_Imphash_Jan2024.yar", "EXE_Stealer_Nightingale_Jan2024.yar", "EXE_Stealer_Planet_March2024.yar", "LNK_Dropper_Russian_APT_Feb2024.yar", "Chinese_APT_Backdoor.yar", "Guloader_VBScript.yar", "bruteratelc4.yar", "RANSOM_Lockbit_Black_Packer.yar", "SocGholish_Variant_B.yar", "DLL_RAT_WogRAT_March2024.yar", "win_matanbuchus.yar", "WIN32_MAL_TROJ_DARKME.yar", "Android_BankingTrojan_Hydra.yar", "ELF_RAT_Bifrost_March2024.yar", "EXPLOIT_WinRAR_CVE_2023_38831_Aug23.yar", "ISO_LNK_JS_CMD_DLL.yar", "win_gcleaner_de41.yar", "ItsSoEasy_Ransomware.yar", "EXE_Ransomware_Tuga_March2024.yar", "RABBITHUNT_loader.yar", "LockBit3_ransomware.yar", "Matanbuchus_MSI_2.yar", "MX_fin_custom_allakore_rat.yar", "PikaBot_Stage1_20240222.yar", "Powerpoint_Code_Execution.yar", "Qakbot_IsoCampaign.yar", "RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar", "SelfExtractingRAR.yar", "PUPPETLOADER_loader.yar", "unpacked_qbot.yar", "ELF_Backdoor_ZipLine_Feb2024.yar", "win_colibriloader.yar", "win_strelastealer.yar", "android_apk_hook.yar", "MALWARE_Storm0978_HTML_PROTHANDLER_Jul23.yar", "babuk_copycat_esxi.yar", "EXE_Ransomware_Phobos_Feb2024.yar", "elf_rekoobe_b3_06c9.yar", "RANSOM_ESXiArgs_Ransomware_Encryptor_Feb23.yar", "EXE_Trojan_RomCom_Feb2024.yar", "EXE_Unknown_Backdoor_March2024.yar", "BruteRatelConfig.yar", "GHISLER_Stealer_1.yar", "pe_no_import_table.yar", "lnk_from_chinese.yar", "Ransomware_SLug.yar", "Sus_AnyDesk_Attempts_Feb2024.yar", "SUSP_ZIP_LNK_PhishAttachment.yar", "ScareCrow_Malware.yar", "win_aurora_stealer_a_706a.yar", "tofsee_yhub.yar", "win_xfiles_stealer_a8b373fb.yar", "EXE_Stealer_RisePro_Jan2024.yar", "AppLaunch.yar", "PassProtected_ZIP_ISO_file.yar", "Win_DarkGate.yar", "LATAMHotel_Obfuscated_BAT.yar", "DLL_PyPi_Loader_Lazarus_March2024.yar", "Disable_Defender.yar", "sfx_pdb_winrar_restrict.yar", "Detect_SliverFox_String.yar", "EXE_Stealer_CryptBot_March2024.yar", "DLL_TinyTurla_PE_Properties_Feb2024.yar", "EXE_Loader_WikiLoader_Feb2024.yar", "DLL_Banking_Trojan_Chavecloak_March2024.yar", "IcedID_ISO.yar", "ELF_Implant_COATHANGER_Feb2024.yar", "malware_bumblebee_packed.yar", "LockbitBlack_Loader.yar", "Python_MasePie.yar", "MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar", "QakBot_OneNote_Loader.yar", "Old_Code__Signature_AnyDesk_Feb2024.yar", "SUSP_Doc_WordXMLRels_May22.yar", "vulnerablity_driver2_PhysicalMemory.yar", "win_colibriloader_unpacked.yar", "win_vidar_a_a901.yar", "DLL_RAT_Xeno_Feb2024.yar", "RANSOM_Magniber_LNK_Jan23.yar", "win_xwormmm_s1_6f74.yar", "WIN32_MALWR_POSSIBLE_EMOTET_07_20.yar", "AgentTesla_DIFF_Common_Strings_01.yar", "anyburn_iso_with_date.yar", "avemaria_rat_yhub.yar", "DanaBot_12_2023.yar", "detect_Redline_Stealer_V2.yar", "ELF_RANSOMWARE_BLACKCAT.yar", "DLL_Loader_BlackWood_APT_Jan2024.yar", "EXE_Stealer_WhiteSnake_Jan2024.yar", "DLL_Stealer_Ov3rStealer_Feb2024.yar", "win_modern_loader_v1_01_1edf.yar", "Icedid_Unpacked_in_Memory.yar", "meth_stackstrings.yar", "Play_Ransomware.yar", "EXE_RAT_vxRAT_March2024.yar", "EXE_Stealer_Strela_March2024.yar", "sqlcmd_loader.yar", "EXE_Stealer_Phemedrone_Feb2024.yar", "StrelaStealer.yar", "win_erbium_stealer_a1_2622.yar", "UNKNOWN_News_Penguin_Feb2024.yar", "win_amadey_bytecodes_oct_2023.yar", "APT_Bitter_PDB_Paths.yar", "binaryObfuscation.yar", "detect_RWS_pe_rule.yar", "DLL_PyPi_Comebacker_Lazarus_March2024.yar", "Erbium_Stealer_Obfuscated.yar", "ZPAQ.yar", "SUSP_HxD_Icon_Anomaly_May23_1.yar", "ItsSoEasy_Ransomware_Go_Var.yar", "ItsSoEasy_Ransomware_Py_Var.yar", "RANSOM_Magniber_ISO_Jan23.yar", "MALWARE_OneNote_Delivery_Jan23.yar", "SocGholish_Custom_Base64.yar", "SocGholish_Obfuscated.yar", "SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar", "Qakbot_WSF_loader.yar", "win_agent_tesla_ab4444e9.yar", "win_danabot_cdf38827.yar", "win_limerat_j1_00cfd931.yar", "win_lu0bot_loader_1d53.yar", "agenttesla_win_generic.yar", "APT_Bitter_Almond_RAT.yar", "unk_phishkit.yar", "cobalt_strike_tmp01925d3f.yar", "detect_Redline_Stealer.yar", "hunt_redline_stealer.yar", "RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar", "ELF_Loader_KrustyLoader_Feb2024.yar", "yarahub_win_remcos_rat_unpacked_aug_2023.yar", "EXE_Stealer_44Caliber_Feb2024.yar", "MALWARE_Emotet_OneNote_Delivery_js_Mar23.yar", "EXE_Ransomware_Nevada_Feb2024.yar", "EXE_Stealer_StealC_Feb2024.yar", "win_imminentrat_j1_7e208e97.yar", "recordbreaker_win_generic.yar", "yarahub_win_mystic_stealer_bytecodes_sep_2023.yar", "win_qakbot_malped.yar", "PaaS_SpearPhishing_Feb23.yar", "Erbium_Loader.yar", "win_Eternity.yar", "QBOT_HTMLSmuggling_a.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlobalNet", "display_name": "GlobalNet", "target": null }, { "id": "OriginLoader", "display_name": "OriginLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Detects UPATRE", "display_name": "Detects UPATRE", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "twizz619", "id": "188477", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 138, "FileHash-SHA256": 181, "domain": 25, "YARA": 162, "URL": 23, "CVE": 4, "hostname": 10, "email": 4 }, "indicator_count": 788, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "resource.name", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "resource.name", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780319942.9038787 }