{ "type": "Domain", "indicator": "this.gr", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/this.gr", "alexa": "http://www.alexa.com/siteinfo/this.gr", "indicator": "this.gr", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2489337818, "indicator": "this.gr", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "67c0bed5c0689e962175701a", "name": "ULABERTA[.]CA typosquatting UALBERTA[.]CA", "description": "Typosquatting ualberta[.]ca and ulaberta[.]ca but both are linked together with PDF 067eec93b62d109eab419a658c83bd4bf6d257edace5d6646de925ddf752fbd1 and in its memory are: www[.]researchid[.]com & ualberta[.]ca & ulaberta[.]ca.\nFake emails ulaberta[.]ca are linked with ualberta[.]ca, see more: https://x.com/userlolxxl/status/1895127170906829162 and hxxp://ww1[.]ulaberta[.]ca/?usid=103&utid=2184b6ecc11e5147d27515bd5f32051d and hxxps://parking3[.]parklogic[.]com/page/scribe[.]php?pcId=1&domain=ulaberta[.]ca&pId=2889&usid=$", "modified": "2025-03-31T15:06:25.649000", "created": "2025-02-27T19:36:53.135000", "tags": [ "ulaberta", "ualberta", "typosquatting", "email", "viewport", "Google user-triggered fetchers", "IJQM Template", "dp-teaminternet04_3ph", "21404,17300003,17301437,17301439,17301442,17301548,17301266,7271", "1740665819.3303:09e137b80bfca0ad5ff3ea605fab0cda9c4a0ae4cc637d23", "ja3_s 009f303a064ba7f6653657f4cdbdc8ca" ], "references": [ "https://www.hybrid-analysis.com/sample/6c5cd3b2670ed37f57c261fc4c2fe92e892a1d370ecf95440742ad987db0b504", "https://www.hybrid-analysis.com/sample/fb8aa6f22badeb5cd921715a284094ac2a0d0b1ab8d82fd4965d4c1eb7f0db7d", "https://www.virustotal.com/graph/embed/g5ad3008e54e74494b6646cdb4be00f504ebc64c7d762417b91203a5f05b4e2e9", "https://urlscan.io/result/7291083a-54a3-4757-92e4-ceb51d528b15/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Zugo", "display_name": "Zugo", "target": null } ], "attack_ids": [ { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "userlolxxl", "id": "276085", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_276085/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "URL": 122, "hostname": 62, "FileHash-SHA256": 19, "email": 2, "FileHash-MD5": 34, "FileHash-SHA1": 2 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "675127405277d037355e5db6", "name": "Beehive.Systems", "description": "#if PRAGMA_ONCE, which includes the word \"pagma\" and the term \"penet\", should not be used as part of any attempt to set a new code.", "modified": "2024-12-05T04:08:32.154000", "created": "2024-12-05T04:08:32.154000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 30, "hostname": 69 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "544 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661afd962ed1f89b54a92de9", "name": "Injection #1", "description": "Injection #1", "modified": "2024-04-13T21:48:06.480000", "created": "2024-04-13T21:48:06.480000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phoenix-choi1", "id": "278628", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "domain": 63, "hostname": 109 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "780 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64da05cdba55fc9cf872cb11", "name": "IOC's off of my personal devices Aug 14th - June 28th | Come one come all, something for everyone", "description": "Now that I've been able to get a pulse published I'm going to be recursively and actively updating this pulse with IOC's pulled off of files marked malicious, suspicious, ambigious, or clean with a threat score from my personal devices. I will also add files that have a high amount of indicators and no threat score as well and let AlienVault sort it out. Hopefully I'll be able i'll be able to fill the gap to my last Pulse the better part of a year ago. \n\nNearly all of these files are debug and VM aware, with a majority having a legitimate certificate chain. The ones that do run have been initialized in a live environment (aka my desktop, laptop, phone, etc).", "modified": "2024-02-14T21:44:01.779000", "created": "2023-08-14T10:45:33.014000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "falcon sandbox", "hybrid analysis", "sandbox files", "urls quick", "scans files", "urls file", "releases", "updates faq", "public api", "knowledge base" ], "references": [ "https://otx.alienvault.com/indicator/file/b197cf4cee44d52be11275f49f3143b4f7f8e735", "https://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303/64da0aedbe662a714b0480b1", "https://www.virustotal.com/gui/file/207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861/behavior", "https://www.virustotal.com/gui/file/3db36d262eb15c349b4b945e0b1d9772c262cd2b7d57c40ede429958daeab97e?nocache=1", "https://otx.alienvault.com/indicator/file/08515dcc6df957c9c5d4f00db4f568b3ee29c337", "https://www.joesandbox.com/analysis/1041402", "http://hybrid-analysis.com/sample/e9fc2ca7297a65937de9887be565eb5bbd149ba2c1a1ea4d3ca88302ede7ecac", "https://www.virustotal.com/gui/file/a7b4797c4a29864aacb7b40dd854adaf3936791d7c326d02d4aad37982d801a9/community", "http://hybrid-analysis.com/sample/e4db1656c4cfff0a4ced5a943b8433388c7b4935711d522014c819328f19001d/64da070d00534407c40c1034", "http://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303", "http://hybrid-analysis.com/sample/4cf079d4d7a154cd93f65934b5d115f07af8f25ee24930e6cc606dfb0aea2a4e", "https://otx.alienvault.com/indicator/file/1831d8972bfae639576d10903c2d586e", "https://hybrid-analysis.com/sample/beff391ce640cc8fdfcec22b77c5d2bc4776304e3a404e8168ce315226c4fc41/5eae8f731389173b4c432b17", "https://otx.alienvault.com/indicator/file/c85cc6f8ff7d69d7a7af9498d7d75bc05e35fb69f34d7b50d9057608f7b73f51", "", "https://tria.ge/230806-j3tdasgd72", "https://tria.ge/230806-j8mspsgd84", "https://tria.ge/230806-j8tk9ahg7t", "https://tria.ge/230809-vsggjadf59", "https://tria.ge/230809-vtdr2afd2t" ], "public": 1, "adversary": "Unknown - Most likely multiple spanning Cyrillic and Chinese in terms of artifacts", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "neshta", "display_name": "neshta", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Win.Dropper.Gh0stRAT", "display_name": "Win.Dropper.Gh0stRAT", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "Win32:Farfli-BH", "display_name": "Win32:Farfli-BH", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "TrojanDownloader:Win32/Zegost.E!bit", "display_name": "TrojanDownloader:Win32/Zegost.E!bit", "target": "/malware/TrojanDownloader:Win32/Zegost.E!bit" }, { "id": "Backdoor:Win32/Zegost.CQ!bit", "display_name": "Backdoor:Win32/Zegost.CQ!bit", "target": "/malware/Backdoor:Win32/Zegost.CQ!bit" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Backdoor:Win32/Zegost.gen!B", "display_name": "Backdoor:Win32/Zegost.gen!B", "target": "/malware/Backdoor:Win32/Zegost.gen!B" }, { "id": "Win.Dropper.Gh0stRAT-7696262-0", "display_name": "Win.Dropper.Gh0stRAT-7696262-0", "target": null }, { "id": "Backdoor:Win32/Zegost.BU", "display_name": "Backdoor:Win32/Zegost.BU", "target": "/malware/Backdoor:Win32/Zegost.BU" }, { "id": "Trojan:Win32/Farfli.DSK!MTB", "display_name": "Trojan:Win32/Farfli.DSK!MTB", "target": "/malware/Trojan:Win32/Farfli.DSK!MTB" }, { "id": "Backdoor:Win32/Zegost.BK", "display_name": "Backdoor:Win32/Zegost.BK", "target": "/malware/Backdoor:Win32/Zegost.BK" }, { "id": "HackTool:Win32/Mimikatz.F", "display_name": "HackTool:Win32/Mimikatz.F", "target": "/malware/HackTool:Win32/Mimikatz.F" }, { "id": "Trojan:Win32/GhostRatCrypt.GA!MTB", "display_name": "Trojan:Win32/GhostRatCrypt.GA!MTB", "target": "/malware/Trojan:Win32/GhostRatCrypt.GA!MTB" }, { "id": "Backdoor:Win32/Zegost.CG", "display_name": "Backdoor:Win32/Zegost.CG", "target": "/malware/Backdoor:Win32/Zegost.CG" }, { "id": "Backdoor:Win32/Zegost.AD", "display_name": "Backdoor:Win32/Zegost.AD", "target": "/malware/Backdoor:Win32/Zegost.AD" }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Backdoor:Win32/Zegost!atmn", "display_name": "Backdoor:Win32/Zegost!atmn", "target": "/malware/Backdoor:Win32/Zegost!atmn" }, { "id": "Backdoor:Win32/Zegost.H!dll", "display_name": "Backdoor:Win32/Zegost.H!dll", "target": "/malware/Backdoor:Win32/Zegost.H!dll" }, { "id": "Zeppelin_10", "display_name": "Zeppelin_10", "target": null }, { "id": "ALF:Trojan:Win32/Cipduk.D!dha", "display_name": "ALF:Trojan:Win32/Cipduk.D!dha", "target": null }, { "id": "Backdoor:Win32/Zegost.BR", "display_name": "Backdoor:Win32/Zegost.BR", "target": "/malware/Backdoor:Win32/Zegost.BR" }, { "id": "Backdoor:Win32/Farfli.AX", "display_name": "Backdoor:Win32/Farfli.AX", "target": "/malware/Backdoor:Win32/Farfli.AX" }, { "id": "ALF:HeraklezEval:Worm:Win32/Sfone", "display_name": "ALF:HeraklezEval:Worm:Win32/Sfone", "target": null }, { "id": "Backdoor:Win32/Zegost.L", "display_name": "Backdoor:Win32/Zegost.L", "target": "/malware/Backdoor:Win32/Zegost.L" }, { "id": "Backdoor:MSIL/Zegost.GG!MTB", "display_name": "Backdoor:MSIL/Zegost.GG!MTB", "target": "/malware/Backdoor:MSIL/Zegost.GG!MTB" }, { "id": "SLF:Win32/Dozlodz.A!MTB", "display_name": "SLF:Win32/Dozlodz.A!MTB", "target": "/malware/SLF:Win32/Dozlodz.A!MTB" }, { "id": "Win64:Xpirat\\ [Inf]", "display_name": "Win64:Xpirat\\ [Inf]", "target": null }, { "id": "Backdoor:Win32/Zegost.KM!MTB", "display_name": "Backdoor:Win32/Zegost.KM!MTB", "target": "/malware/Backdoor:Win32/Zegost.KM!MTB" }, { "id": "AdvancedInstaller", "display_name": "AdvancedInstaller", "target": null }, { "id": "TrojanDropper:Win32/Venik", "display_name": "TrojanDropper:Win32/Venik", "target": "/malware/TrojanDropper:Win32/Venik" }, { "id": "hacker87", "display_name": "hacker87", "target": null }, { "id": "PurpleFox", "display_name": "PurpleFox", "target": null }, { "id": "PCRat", "display_name": "PCRat", "target": null }, { "id": "Gh0stCringe", "display_name": "Gh0stCringe", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2387, "FileHash-SHA1": 2126, "FileHash-SHA256": 9395, "SSLCertFingerprint": 27, "domain": 88, "URL": 185, "hostname": 165, "email": 11 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e80d56fba248bac0744780", "name": "\ud83e\udd14\ud83d\udea8 Could this be the source of all Evil? \ud83d\udea8\ud83e\udd14 Nubotnet - Team:KU Leuven/test2 - 2021.igem.org", "description": "", "modified": "2022-08-31T00:01:05.509000", "created": "2022-08-01T17:28:54.991000", "tags": [ "apt", "runtime data", "decrypted ssl", "pcap", "windows nt", "tops", "cookie", "typeof t", "element", "error", "matrix", "typeerror", "bmfloor", "frameelement", "null", "skew", "parade" ], "references": [ "https://2021.igem.org/Team:KU_Leuven/test2", "https://hybrid-analysis.com/sample/e126ff94aac3340dc05a27f062c4267cbfeaa998248bef0e72f000bba711aa76/62e6fb475edc950b894aa7b0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1696, "domain": 586, "hostname": 613, "FileHash-SHA256": 533, "FileHash-MD5": 34, "FileHash-SHA1": 33, "email": 1 }, "indicator_count": 3496, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1372 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e69610305a20de80232e50", "name": ";http://tdarr.io/ - yet more net.sh", "description": "", "modified": "2022-08-30T00:01:48.297000", "created": "2022-07-31T14:47:44.291000", "tags": [ "trojan", "apt", "runtime data", "decrypted ssl", "typeerror", "typeof symbol", "null", "accept", "unknown", "roboto", "generator", "matrix", "internal", "blank", "trident", "discord", "facebook", "twitch", "backend", "twitter", "suser", "android", "meta", "skew", "parade", "click", "malicious", "mozilla", "suspicious", "network traffic", "net.sh" ], "references": [ "https://hybrid-analysis.com/sample/3782c093f4a54060ab6a269e2cc5a0334352f4c210500d370f185b6799f0007a/62e280899822900706678798", "tdarr.io", "net.sh neural netw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 786, "hostname": 498, "FileHash-SHA256": 122, "domain": 139, "FileHash-MD5": 43, "FileHash-SHA1": 36 }, "indicator_count": 1624, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "net.sh neural netw", "https://otx.alienvault.com/indicator/file/c85cc6f8ff7d69d7a7af9498d7d75bc05e35fb69f34d7b50d9057608f7b73f51", "https://tria.ge/230809-vtdr2afd2t", "http://hybrid-analysis.com/sample/e9fc2ca7297a65937de9887be565eb5bbd149ba2c1a1ea4d3ca88302ede7ecac", "https://urlscan.io/result/7291083a-54a3-4757-92e4-ceb51d528b15/", "https://www.hybrid-analysis.com/sample/6c5cd3b2670ed37f57c261fc4c2fe92e892a1d370ecf95440742ad987db0b504", "https://otx.alienvault.com/indicator/file/b197cf4cee44d52be11275f49f3143b4f7f8e735", "https://tria.ge/230809-vsggjadf59", "https://otx.alienvault.com/indicator/file/08515dcc6df957c9c5d4f00db4f568b3ee29c337", "https://otx.alienvault.com/indicator/file/1831d8972bfae639576d10903c2d586e", "https://tria.ge/230806-j8tk9ahg7t", "https://hybrid-analysis.com/sample/e126ff94aac3340dc05a27f062c4267cbfeaa998248bef0e72f000bba711aa76/62e6fb475edc950b894aa7b0", "https://www.joesandbox.com/analysis/1041402", "https://www.virustotal.com/gui/file/a7b4797c4a29864aacb7b40dd854adaf3936791d7c326d02d4aad37982d801a9/community", "https://tria.ge/230806-j8mspsgd84", "https://hybrid-analysis.com/sample/beff391ce640cc8fdfcec22b77c5d2bc4776304e3a404e8168ce315226c4fc41/5eae8f731389173b4c432b17", "https://hybrid-analysis.com/sample/3782c093f4a54060ab6a269e2cc5a0334352f4c210500d370f185b6799f0007a/62e280899822900706678798", "https://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303/64da0aedbe662a714b0480b1", "https://tria.ge/230806-j3tdasgd72", "https://www.virustotal.com/gui/file/207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861/behavior", "http://hybrid-analysis.com/sample/e4db1656c4cfff0a4ced5a943b8433388c7b4935711d522014c819328f19001d/64da070d00534407c40c1034", "http://hybrid-analysis.com/sample/4cf079d4d7a154cd93f65934b5d115f07af8f25ee24930e6cc606dfb0aea2a4e", "https://2021.igem.org/Team:KU_Leuven/test2", "tdarr.io", "https://www.hybrid-analysis.com/sample/fb8aa6f22badeb5cd921715a284094ac2a0d0b1ab8d82fd4965d4c1eb7f0db7d", "https://www.virustotal.com/graph/embed/g5ad3008e54e74494b6646cdb4be00f504ebc64c7d762417b91203a5f05b4e2e9", "https://www.virustotal.com/gui/file/3db36d262eb15c349b4b945e0b1d9772c262cd2b7d57c40ede429958daeab97e?nocache=1", "http://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Unknown - Most likely multiple spanning Cyrillic and Chinese in terms of artifacts" ], "malware_families": [ "Backdoor:msil/zegost.gg!mtb", "Win32:farfli-bh", "Zugo", "Backdoor:win32/zegost.cg", "Backdoor:win32/zegost.bk", "Win.dropper.gh0strat", "Alf:heraklezeval:worm:win32/sfone", "Pcrat", "Backdoor:win32/zegost.bu", "Backdoor:win32/zegost!atmn", "Hacker87", "Win.dropper.gh0strat-7696262-0", "Alf:trojan:win32/cipduk.d!dha", "Neshta", "Win.malware.qshell-9875653-0", "Expiro", "Backdoor:win32/zegost.br", "Backdoor:win32/zegost.gen!b", "Backdoor:win32/zegost.l", "Trojan:win32/ghostratcrypt.ga!mtb", "Zeppelin_10", "Trojan:win32/farfli.dsk!mtb", "Trojandownloader:win32/nemucod", "Backdoor:win32/zegost.ad", "Slf:win32/dozlodz.a!mtb", "Backdoor:win32/farfli.ax", "Gh0stcringe", "Trojandropper:win32/venik", "Win.malware.eclz-9953021-0", "#lowfi:suspicioussectionname", "Advancedinstaller", "Trojandownloader:win32/zegost.e!bit", "Backdoor:win32/zegost.cq!bit", "Backdoor:win32/zegost.h!dll", "Hacktool:win32/mimikatz.f", "Backdoor:win32/zegost.km!mtb", "Win64:xpirat\\ [inf]", "Purplefox", "Worm:win32/sfone.a", "Win.malware.snojan-6775202-0" ], "industries": [ "Individuals" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "67c0bed5c0689e962175701a", "name": "ULABERTA[.]CA typosquatting UALBERTA[.]CA", "description": "Typosquatting ualberta[.]ca and ulaberta[.]ca but both are linked together with PDF 067eec93b62d109eab419a658c83bd4bf6d257edace5d6646de925ddf752fbd1 and in its memory are: www[.]researchid[.]com & ualberta[.]ca & ulaberta[.]ca.\nFake emails ulaberta[.]ca are linked with ualberta[.]ca, see more: https://x.com/userlolxxl/status/1895127170906829162 and hxxp://ww1[.]ulaberta[.]ca/?usid=103&utid=2184b6ecc11e5147d27515bd5f32051d and hxxps://parking3[.]parklogic[.]com/page/scribe[.]php?pcId=1&domain=ulaberta[.]ca&pId=2889&usid=$", "modified": "2025-03-31T15:06:25.649000", "created": "2025-02-27T19:36:53.135000", "tags": [ "ulaberta", "ualberta", "typosquatting", "email", "viewport", "Google user-triggered fetchers", "IJQM Template", "dp-teaminternet04_3ph", "21404,17300003,17301437,17301439,17301442,17301548,17301266,7271", "1740665819.3303:09e137b80bfca0ad5ff3ea605fab0cda9c4a0ae4cc637d23", "ja3_s 009f303a064ba7f6653657f4cdbdc8ca" ], "references": [ "https://www.hybrid-analysis.com/sample/6c5cd3b2670ed37f57c261fc4c2fe92e892a1d370ecf95440742ad987db0b504", "https://www.hybrid-analysis.com/sample/fb8aa6f22badeb5cd921715a284094ac2a0d0b1ab8d82fd4965d4c1eb7f0db7d", "https://www.virustotal.com/graph/embed/g5ad3008e54e74494b6646cdb4be00f504ebc64c7d762417b91203a5f05b4e2e9", "https://urlscan.io/result/7291083a-54a3-4757-92e4-ceb51d528b15/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Zugo", "display_name": "Zugo", "target": null } ], "attack_ids": [ { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "userlolxxl", "id": "276085", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_276085/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "URL": 122, "hostname": 62, "FileHash-SHA256": 19, "email": 2, "FileHash-MD5": 34, "FileHash-SHA1": 2 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "675127405277d037355e5db6", "name": "Beehive.Systems", "description": "#if PRAGMA_ONCE, which includes the word \"pagma\" and the term \"penet\", should not be used as part of any attempt to set a new code.", "modified": "2024-12-05T04:08:32.154000", "created": "2024-12-05T04:08:32.154000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 30, "hostname": 69 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "544 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661afd962ed1f89b54a92de9", "name": "Injection #1", "description": "Injection #1", "modified": "2024-04-13T21:48:06.480000", "created": "2024-04-13T21:48:06.480000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phoenix-choi1", "id": "278628", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "domain": 63, "hostname": 109 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "780 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64da05cdba55fc9cf872cb11", "name": "IOC's off of my personal devices Aug 14th - June 28th | Come one come all, something for everyone", "description": "Now that I've been able to get a pulse published I'm going to be recursively and actively updating this pulse with IOC's pulled off of files marked malicious, suspicious, ambigious, or clean with a threat score from my personal devices. I will also add files that have a high amount of indicators and no threat score as well and let AlienVault sort it out. Hopefully I'll be able i'll be able to fill the gap to my last Pulse the better part of a year ago. \n\nNearly all of these files are debug and VM aware, with a majority having a legitimate certificate chain. The ones that do run have been initialized in a live environment (aka my desktop, laptop, phone, etc).", "modified": "2024-02-14T21:44:01.779000", "created": "2023-08-14T10:45:33.014000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "falcon sandbox", "hybrid analysis", "sandbox files", "urls quick", "scans files", "urls file", "releases", "updates faq", "public api", "knowledge base" ], "references": [ "https://otx.alienvault.com/indicator/file/b197cf4cee44d52be11275f49f3143b4f7f8e735", "https://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303/64da0aedbe662a714b0480b1", "https://www.virustotal.com/gui/file/207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861/behavior", "https://www.virustotal.com/gui/file/3db36d262eb15c349b4b945e0b1d9772c262cd2b7d57c40ede429958daeab97e?nocache=1", "https://otx.alienvault.com/indicator/file/08515dcc6df957c9c5d4f00db4f568b3ee29c337", "https://www.joesandbox.com/analysis/1041402", "http://hybrid-analysis.com/sample/e9fc2ca7297a65937de9887be565eb5bbd149ba2c1a1ea4d3ca88302ede7ecac", "https://www.virustotal.com/gui/file/a7b4797c4a29864aacb7b40dd854adaf3936791d7c326d02d4aad37982d801a9/community", "http://hybrid-analysis.com/sample/e4db1656c4cfff0a4ced5a943b8433388c7b4935711d522014c819328f19001d/64da070d00534407c40c1034", "http://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303", "http://hybrid-analysis.com/sample/4cf079d4d7a154cd93f65934b5d115f07af8f25ee24930e6cc606dfb0aea2a4e", "https://otx.alienvault.com/indicator/file/1831d8972bfae639576d10903c2d586e", "https://hybrid-analysis.com/sample/beff391ce640cc8fdfcec22b77c5d2bc4776304e3a404e8168ce315226c4fc41/5eae8f731389173b4c432b17", "https://otx.alienvault.com/indicator/file/c85cc6f8ff7d69d7a7af9498d7d75bc05e35fb69f34d7b50d9057608f7b73f51", "", "https://tria.ge/230806-j3tdasgd72", "https://tria.ge/230806-j8mspsgd84", "https://tria.ge/230806-j8tk9ahg7t", "https://tria.ge/230809-vsggjadf59", "https://tria.ge/230809-vtdr2afd2t" ], "public": 1, "adversary": "Unknown - Most likely multiple spanning Cyrillic and Chinese in terms of artifacts", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "neshta", "display_name": "neshta", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Win.Dropper.Gh0stRAT", "display_name": "Win.Dropper.Gh0stRAT", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "Win32:Farfli-BH", "display_name": "Win32:Farfli-BH", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "TrojanDownloader:Win32/Zegost.E!bit", "display_name": "TrojanDownloader:Win32/Zegost.E!bit", "target": "/malware/TrojanDownloader:Win32/Zegost.E!bit" }, { "id": "Backdoor:Win32/Zegost.CQ!bit", "display_name": "Backdoor:Win32/Zegost.CQ!bit", "target": "/malware/Backdoor:Win32/Zegost.CQ!bit" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Backdoor:Win32/Zegost.gen!B", "display_name": "Backdoor:Win32/Zegost.gen!B", "target": "/malware/Backdoor:Win32/Zegost.gen!B" }, { "id": "Win.Dropper.Gh0stRAT-7696262-0", "display_name": "Win.Dropper.Gh0stRAT-7696262-0", "target": null }, { "id": "Backdoor:Win32/Zegost.BU", "display_name": "Backdoor:Win32/Zegost.BU", "target": "/malware/Backdoor:Win32/Zegost.BU" }, { "id": "Trojan:Win32/Farfli.DSK!MTB", "display_name": "Trojan:Win32/Farfli.DSK!MTB", "target": "/malware/Trojan:Win32/Farfli.DSK!MTB" }, { "id": "Backdoor:Win32/Zegost.BK", "display_name": "Backdoor:Win32/Zegost.BK", "target": "/malware/Backdoor:Win32/Zegost.BK" }, { "id": "HackTool:Win32/Mimikatz.F", "display_name": "HackTool:Win32/Mimikatz.F", "target": "/malware/HackTool:Win32/Mimikatz.F" }, { "id": "Trojan:Win32/GhostRatCrypt.GA!MTB", "display_name": "Trojan:Win32/GhostRatCrypt.GA!MTB", "target": "/malware/Trojan:Win32/GhostRatCrypt.GA!MTB" }, { "id": "Backdoor:Win32/Zegost.CG", "display_name": "Backdoor:Win32/Zegost.CG", "target": "/malware/Backdoor:Win32/Zegost.CG" }, { "id": "Backdoor:Win32/Zegost.AD", "display_name": "Backdoor:Win32/Zegost.AD", "target": "/malware/Backdoor:Win32/Zegost.AD" }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Backdoor:Win32/Zegost!atmn", "display_name": "Backdoor:Win32/Zegost!atmn", "target": "/malware/Backdoor:Win32/Zegost!atmn" }, { "id": "Backdoor:Win32/Zegost.H!dll", "display_name": "Backdoor:Win32/Zegost.H!dll", "target": "/malware/Backdoor:Win32/Zegost.H!dll" }, { "id": "Zeppelin_10", "display_name": "Zeppelin_10", "target": null }, { "id": "ALF:Trojan:Win32/Cipduk.D!dha", "display_name": "ALF:Trojan:Win32/Cipduk.D!dha", "target": null }, { "id": "Backdoor:Win32/Zegost.BR", "display_name": "Backdoor:Win32/Zegost.BR", "target": "/malware/Backdoor:Win32/Zegost.BR" }, { "id": "Backdoor:Win32/Farfli.AX", "display_name": "Backdoor:Win32/Farfli.AX", "target": "/malware/Backdoor:Win32/Farfli.AX" }, { "id": "ALF:HeraklezEval:Worm:Win32/Sfone", "display_name": "ALF:HeraklezEval:Worm:Win32/Sfone", "target": null }, { "id": "Backdoor:Win32/Zegost.L", "display_name": "Backdoor:Win32/Zegost.L", "target": "/malware/Backdoor:Win32/Zegost.L" }, { "id": "Backdoor:MSIL/Zegost.GG!MTB", "display_name": "Backdoor:MSIL/Zegost.GG!MTB", "target": "/malware/Backdoor:MSIL/Zegost.GG!MTB" }, { "id": "SLF:Win32/Dozlodz.A!MTB", "display_name": "SLF:Win32/Dozlodz.A!MTB", "target": "/malware/SLF:Win32/Dozlodz.A!MTB" }, { "id": "Win64:Xpirat\\ [Inf]", "display_name": "Win64:Xpirat\\ [Inf]", "target": null }, { "id": "Backdoor:Win32/Zegost.KM!MTB", "display_name": "Backdoor:Win32/Zegost.KM!MTB", "target": "/malware/Backdoor:Win32/Zegost.KM!MTB" }, { "id": "AdvancedInstaller", "display_name": "AdvancedInstaller", "target": null }, { "id": "TrojanDropper:Win32/Venik", "display_name": "TrojanDropper:Win32/Venik", "target": "/malware/TrojanDropper:Win32/Venik" }, { "id": "hacker87", "display_name": "hacker87", "target": null }, { "id": "PurpleFox", "display_name": "PurpleFox", "target": null }, { "id": "PCRat", "display_name": "PCRat", "target": null }, { "id": "Gh0stCringe", "display_name": "Gh0stCringe", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2387, "FileHash-SHA1": 2126, "FileHash-SHA256": 9395, "SSLCertFingerprint": 27, "domain": 88, "URL": 185, "hostname": 165, "email": 11 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e80d56fba248bac0744780", "name": "\ud83e\udd14\ud83d\udea8 Could this be the source of all Evil? \ud83d\udea8\ud83e\udd14 Nubotnet - Team:KU Leuven/test2 - 2021.igem.org", "description": "", "modified": "2022-08-31T00:01:05.509000", "created": "2022-08-01T17:28:54.991000", "tags": [ "apt", "runtime data", "decrypted ssl", "pcap", "windows nt", "tops", "cookie", "typeof t", "element", "error", "matrix", "typeerror", "bmfloor", "frameelement", "null", "skew", "parade" ], "references": [ "https://2021.igem.org/Team:KU_Leuven/test2", "https://hybrid-analysis.com/sample/e126ff94aac3340dc05a27f062c4267cbfeaa998248bef0e72f000bba711aa76/62e6fb475edc950b894aa7b0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1696, "domain": 586, "hostname": 613, "FileHash-SHA256": 533, "FileHash-MD5": 34, "FileHash-SHA1": 33, "email": 1 }, "indicator_count": 3496, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1372 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e69610305a20de80232e50", "name": ";http://tdarr.io/ - yet more net.sh", "description": "", "modified": "2022-08-30T00:01:48.297000", "created": "2022-07-31T14:47:44.291000", "tags": [ "trojan", "apt", "runtime data", "decrypted ssl", "typeerror", "typeof symbol", "null", "accept", "unknown", "roboto", "generator", "matrix", "internal", "blank", "trident", "discord", "facebook", "twitch", "backend", "twitter", "suser", "android", "meta", "skew", "parade", "click", "malicious", "mozilla", "suspicious", "network traffic", "net.sh" ], "references": [ "https://hybrid-analysis.com/sample/3782c093f4a54060ab6a269e2cc5a0334352f4c210500d370f185b6799f0007a/62e280899822900706678798", "tdarr.io", "net.sh neural netw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 786, "hostname": 498, "FileHash-SHA256": 122, "domain": 139, "FileHash-MD5": 43, "FileHash-SHA1": 36 }, "indicator_count": 1624, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "this.gr", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "this.gr", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780453571.2037578 }