{ "type": "Domain", "indicator": "st.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/st.com", "alexa": "http://www.alexa.com/siteinfo/st.com", "indicator": "st.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain st.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2569203401, "indicator": "st.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a1bbf37e377ccaa110200e0", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.684000", "created": "2026-05-31T04:55:19.811000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1bbf3891b8d5e7f5fda895", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.273000", "created": "2026-05-31T04:55:20.446000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659560d63178b32f07838efb", "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|", "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.", "modified": "2024-02-02T12:04:41.638000", "created": "2024-01-03T13:27:50.685000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "unsafeeval", "path", "expiressat", "auto", "wheels online", "o tires", "shop tires", "html info", "title shop", "tires", "meta tags", "big o", "tires language", "name verdict", "falcon sandbox", "samples", "localappdata", "json data", "temp", "getprocaddress", "ascii text", "windir", "file", "indicator", "mitre att", "ck id", "factory", "hybrid", "model", "comspec", "ssl certificate", "whois record", "execution", "contacted", "historical ssl", "whois whois", "simda http", "collections", "historical", "dropped", "backdoor", "unknown", "united", "asnone", "show", "entries", "search", "intel", "ms windows", "pe32", "windows nt", "copy", "write", "logic", "download", "malware", "suspicious", "next", "destination", "port", "components", "globalnpf", "china as23724", "music", "data c", "mexico", "as15169 google", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "united kingdom", "explorer", "xserver", "mtb aug", "location united", "america asn", "open", "trojan", "worm", "dataadobereader", "as397240", "msie", "etpro trojan", "virgin islands", "script urls", "creation date", "record value", "date", "a domains", "all search", "otx octoseek", "url http", "http", "related nids", "pulse http", "url https", "files location", "as20940", "aaaa", "as2914 ntt", "canada unknown", "japan unknown", "as16625 akamai", "domain", "hostname", "gmt content", "gmt report", "0 report", "sea alt", "body", "encrypt", "social engineering", "revenge rat", "rat", "identity theft", "credit card", "referrer", "communicating", "bundled", "family", "roots", "lolkek", "tzw variants", "quasar rat", "dark power", "swisyn", "wiper", "ransomware", "cobalt strike", "attack", "core", "emotet", "exploit", "hacktool", "mail spammer", "as63949 linode", "mtb dec", "checkin m1", "trojanspy", "artro", "remote", "infostealer" ], "references": [ "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ukraine", "Georgia", "India", "Hong Kong", "Canada", "China", "Indonesia", "South Africa", "Germany", "Slovenia", "Mexico", "Netherlands", "Japan", "Spain", "Argentina", "France", "Chile", "Italy", "Aruba", "Switzerland", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Poland", "Colombia", "Taiwan", "Bulgaria", "Austria", "Russian Federation", "Australia", "Philippines", "Norway", "Sweden" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "#Lowfi:SCPT:KiraAsciiObfuscator", "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "Trojan:MSIL/ClipBanker.GB!MTB", "display_name": "Trojan:MSIL/ClipBanker.GB!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win.Packed.Zusy-7170176-0", "display_name": "Win.Packed.Zusy-7170176-0", "target": null }, { "id": "Win.Trojan.Zbot-9880005-0", "display_name": "Win.Trojan.Zbot-9880005-0", "target": null }, { "id": "'Win32:Trojan-gen", "display_name": "'Win32:Trojan-gen", "target": null }, { "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "target": null }, { "id": "Worm:Win32/Mofksys.B", "display_name": "Worm:Win32/Mofksys.B", "target": "/malware/Worm:Win32/Mofksys.B" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Worm:LOGO/Logic", "display_name": "Worm:LOGO/Logic", "target": "/malware/Worm:LOGO/Logic" }, { "id": "ETPro Trojan", "display_name": "ETPro Trojan", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Swisyn", "display_name": "TrojanSpy:Win32/Swisyn", "target": "/malware/TrojanSpy:Win32/Swisyn" }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 560, "FileHash-SHA1": 350, "FileHash-SHA256": 4371, "URL": 8165, "domain": 2548, "hostname": 2813, "CVE": 4, "email": 3 }, "indicator_count": 18814, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708ff435400450988945f1", "name": "auto.getsetpet.com - typosquat cloudfare.com with many typical subs as well", "description": "", "modified": "2023-12-06T15:15:00.581000", "created": "2023-12-06T15:15:00.581000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 733, "FileHash-SHA256": 945, "domain": 529, "URL": 1464, "email": 9, "FileHash-MD5": 82, "FileHash-SHA1": 55, "CVE": 1 }, "indicator_count": 3818, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f52c8134bcfec6bc14eb20", "name": "~WRD0004.doc", "description": "", "modified": "2023-02-21T20:41:36.773000", "created": "2023-02-21T20:41:36.773000", "tags": [ "375809b8a913e9fdf5a6a0463d373eff98ee7d8054a49c28bd133b90fbe7b424", "~WRD0004.doc" ], "references": [ "~WRD0004.doc", "Contains - TarD5B7.tmp\tc0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd", "Process binds to unusual ports details Process \"%PROGRAMFILES%\\Microsoft Office\\Office14\\WINWORD.EXE\" binds to port 49791 source Network Traffic", "https://hybrid-analysis.com/sample/375809b8a913e9fdf5a6a0463d373eff98ee7d8054a49c28bd133b90fbe7b424/63f406d1b2eb1e516771f201" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "URL": 7, "domain": 12, "FileHash-MD5": 14, "FileHash-SHA1": 11 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1197 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62bc67d92c92ae06d9df38b4", "name": "auto.getsetpet.com - typosquat cloudfare.com with many typical subs as well", "description": "", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-29T14:55:21.812000", "tags": [ "windows nt", "malicious", "suspicious", "february", "moved", "gmt content", "set cookie", "gmt path", "x sorting", "hat podid", "hat shopid", "x storefront" ], "references": [ "https://hybrid-analysis.com/sample/93aad12ffc4a15052f6e133ce509b9c676c7a0b0eb118d714ecd6a6699fd0c9c/62bc50d0c273e7065f4cfbcb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 529, "URL": 1464, "hostname": 733, "FileHash-SHA256": 945, "email": 9, "FileHash-MD5": 82, "CVE": 1, "FileHash-SHA1": 55 }, "indicator_count": 3818, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/93aad12ffc4a15052f6e133ce509b9c676c7a0b0eb118d714ecd6a6699fd0c9c/62bc50d0c273e7065f4cfbcb", "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2", "Process binds to unusual ports details Process \"%PROGRAMFILES%\\Microsoft Office\\Office14\\WINWORD.EXE\" binds to port 49791 source Network Traffic", "~WRD0004.doc", "https://hybrid-analysis.com/sample/375809b8a913e9fdf5a6a0463d373eff98ee7d8054a49c28bd133b90fbe7b424/63f406d1b2eb1e516771f201", "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc", "Contains - TarD5B7.tmp\tc0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win.trojan.zbot-9880005-0", "Trojanspy", "'win32:trojan-gen", "Lolkek", "Worm:win32/mofksys.rnd!mtb", "Backdoor:win32/simda", "Trojan:msil/clipbanker.gb!mtb", "Crypt3.blxp", "Etpro trojan", "Artro", "Trojan:win32/comspec", "#lowfi:scpt:kiraasciiobfuscator", "Pws:win32/vb.cu", "Win.packed.zusy-7170176-0", "Hacktool", "Worm:win32/mofksys.b", "Trojanspy:win32/swisyn", "Quasar rat", "Cobalt strike", "Virus:win32/floxif.h", "Dark power", "Emotet", "Tel:trojandownloader:o97m/msiexecabuse", "Ransomware", "Worm:logo/logic" ], "industries": [ "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a1bbf37e377ccaa110200e0", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.684000", "created": "2026-05-31T04:55:19.811000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1bbf3891b8d5e7f5fda895", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.273000", "created": "2026-05-31T04:55:20.446000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659560d63178b32f07838efb", "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|", "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.", "modified": "2024-02-02T12:04:41.638000", "created": "2024-01-03T13:27:50.685000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "unsafeeval", "path", "expiressat", "auto", "wheels online", "o tires", "shop tires", "html info", "title shop", "tires", "meta tags", "big o", "tires language", "name verdict", "falcon sandbox", "samples", "localappdata", "json data", "temp", "getprocaddress", "ascii text", "windir", "file", "indicator", "mitre att", "ck id", "factory", "hybrid", "model", "comspec", "ssl certificate", "whois record", "execution", "contacted", "historical ssl", "whois whois", "simda http", "collections", "historical", "dropped", "backdoor", "unknown", "united", "asnone", "show", "entries", "search", "intel", "ms windows", "pe32", "windows nt", "copy", "write", "logic", "download", "malware", "suspicious", "next", "destination", "port", "components", "globalnpf", "china as23724", "music", "data c", "mexico", "as15169 google", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "united kingdom", "explorer", "xserver", "mtb aug", "location united", "america asn", "open", "trojan", "worm", "dataadobereader", "as397240", "msie", "etpro trojan", "virgin islands", "script urls", "creation date", "record value", "date", "a domains", "all search", "otx octoseek", "url http", "http", "related nids", "pulse http", "url https", "files location", "as20940", "aaaa", "as2914 ntt", "canada unknown", "japan unknown", "as16625 akamai", "domain", "hostname", "gmt content", "gmt report", "0 report", "sea alt", "body", "encrypt", "social engineering", "revenge rat", "rat", "identity theft", "credit card", "referrer", "communicating", "bundled", "family", "roots", "lolkek", "tzw variants", "quasar rat", "dark power", "swisyn", "wiper", "ransomware", "cobalt strike", "attack", "core", "emotet", "exploit", "hacktool", "mail spammer", "as63949 linode", "mtb dec", "checkin m1", "trojanspy", "artro", "remote", "infostealer" ], "references": [ "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ukraine", "Georgia", "India", "Hong Kong", "Canada", "China", "Indonesia", "South Africa", "Germany", "Slovenia", "Mexico", "Netherlands", "Japan", "Spain", "Argentina", "France", "Chile", "Italy", "Aruba", "Switzerland", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Poland", "Colombia", "Taiwan", "Bulgaria", "Austria", "Russian Federation", "Australia", "Philippines", "Norway", "Sweden" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "#Lowfi:SCPT:KiraAsciiObfuscator", "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "Trojan:MSIL/ClipBanker.GB!MTB", "display_name": "Trojan:MSIL/ClipBanker.GB!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win.Packed.Zusy-7170176-0", "display_name": "Win.Packed.Zusy-7170176-0", "target": null }, { "id": "Win.Trojan.Zbot-9880005-0", "display_name": "Win.Trojan.Zbot-9880005-0", "target": null }, { "id": "'Win32:Trojan-gen", "display_name": "'Win32:Trojan-gen", "target": null }, { "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "target": null }, { "id": "Worm:Win32/Mofksys.B", "display_name": "Worm:Win32/Mofksys.B", "target": "/malware/Worm:Win32/Mofksys.B" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Worm:LOGO/Logic", "display_name": "Worm:LOGO/Logic", "target": "/malware/Worm:LOGO/Logic" }, { "id": "ETPro Trojan", "display_name": "ETPro Trojan", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Swisyn", "display_name": "TrojanSpy:Win32/Swisyn", "target": "/malware/TrojanSpy:Win32/Swisyn" }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 560, "FileHash-SHA1": 350, "FileHash-SHA256": 4371, "URL": 8165, "domain": 2548, "hostname": 2813, "CVE": 4, "email": 3 }, "indicator_count": 18814, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708ff435400450988945f1", "name": "auto.getsetpet.com - typosquat cloudfare.com with many typical subs as well", "description": "", "modified": "2023-12-06T15:15:00.581000", "created": "2023-12-06T15:15:00.581000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 733, "FileHash-SHA256": 945, "domain": 529, "URL": 1464, "email": 9, "FileHash-MD5": 82, "FileHash-SHA1": 55, "CVE": 1 }, "indicator_count": 3818, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f52c8134bcfec6bc14eb20", "name": "~WRD0004.doc", "description": "", "modified": "2023-02-21T20:41:36.773000", "created": "2023-02-21T20:41:36.773000", "tags": [ "375809b8a913e9fdf5a6a0463d373eff98ee7d8054a49c28bd133b90fbe7b424", "~WRD0004.doc" ], "references": [ "~WRD0004.doc", "Contains - TarD5B7.tmp\tc0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd", "Process binds to unusual ports details Process \"%PROGRAMFILES%\\Microsoft Office\\Office14\\WINWORD.EXE\" binds to port 49791 source Network Traffic", "https://hybrid-analysis.com/sample/375809b8a913e9fdf5a6a0463d373eff98ee7d8054a49c28bd133b90fbe7b424/63f406d1b2eb1e516771f201" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "URL": 7, "domain": 12, "FileHash-MD5": 14, "FileHash-SHA1": 11 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1197 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62bc67d92c92ae06d9df38b4", "name": "auto.getsetpet.com - typosquat cloudfare.com with many typical subs as well", "description": "", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-29T14:55:21.812000", "tags": [ "windows nt", "malicious", "suspicious", "february", "moved", "gmt content", "set cookie", "gmt path", "x sorting", "hat podid", "hat shopid", "x storefront" ], "references": [ "https://hybrid-analysis.com/sample/93aad12ffc4a15052f6e133ce509b9c676c7a0b0eb118d714ecd6a6699fd0c9c/62bc50d0c273e7065f4cfbcb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 529, "URL": 1464, "hostname": 733, "FileHash-SHA256": 945, "email": 9, "FileHash-MD5": 82, "CVE": 1, "FileHash-SHA1": 55 }, "indicator_count": 3818, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "st.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "st.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780461635.247116 }