{ "type": "Domain", "indicator": "wallup.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/wallup.net", "alexa": "http://www.alexa.com/siteinfo/wallup.net", "indicator": "wallup.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 20906484, "indicator": "wallup.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-04-21T05:28:37.411000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 514, "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 466, "hostname": 580, "domain": 60, "email": 3, "CVE": 2, "JA3": 1 }, "indicator_count": 3181, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6400623068aef7080a745bfc", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)", "description": "", "modified": "2023-03-02T08:45:36.126000", "created": "2023-03-02T08:45:36.126000", "tags": [ "Hangul Word Processor", "steganography", "M2RAT", "Powershell", "JavaScript" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" } ], "industries": [], "TLP": "white", "cloned_from": "63f871120247156c9a460a8a", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 265, "modified_text": "1148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f871120247156c9a460a8a", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)", "description": "", "modified": "2023-02-24T08:10:58.496000", "created": "2023-02-24T08:10:58.496000", "tags": [ "Hangul Word Processor", "steganography", "M2RAT", "Powershell", "JavaScript" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" } ], "industries": [], "TLP": "white", "cloned_from": "63f870ef3132e181b236c949", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 265, "modified_text": "1154 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f870ef3132e181b236c949", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)", "description": "", "modified": "2023-02-24T08:10:23.038000", "created": "2023-02-24T08:10:23.038000", "tags": [ "Hangul Word Processor", "steganography", "M2RAT", "Powershell", "JavaScript" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" } ], "industries": [], "TLP": "white", "cloned_from": "63f67cceee1cc80ed9497ecf", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "1154 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f6631f6650a6ba34e223d6", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)", "description": "In January, the ASEC analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291) in Korea.The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the latest RedEyes group attack is the fact that they exploited the HWP EPS vulnerability using the steganography technique to distribute their malware.", "modified": "2023-02-22T18:48:44.991000", "created": "2023-02-22T18:46:55.423000", "tags": [ "redeyes", "chinotto", "m2rat", "map2", "redeyes group", "pe file", "mac address", "scarcruft", "run key", "asec analysis", "figure", "value", "powershell", "defense", "body", "example", "refer", "winrar", "ghost", "korean", "team" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [ { "id": "Map2", "display_name": "Map2", "target": null }, { "id": "M2RAT", "display_name": "M2RAT", "target": null }, { "id": "Chinotto", "display_name": "Chinotto", "target": null }, { "id": "RedEyes", "display_name": "RedEyes", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": "63f481d0c7674284f0677046", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "1156 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f481d0c7674284f0677046", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) - ASEC BLOG", "description": "A new strain of malware has been found in the RedEyes threat group in South Korea, which uses a vulnerability in Hangul Word Processor to distribute malware, according to an analysis team from AhnLab.", "modified": "2023-02-21T08:33:20.090000", "created": "2023-02-21T08:33:20.090000", "tags": [ "redeyes", "chinotto", "m2rat", "map2", "redeyes group", "pe file", "mac address", "scarcruft", "run key", "asec analysis", "figure", "value", "powershell", "defense", "body", "example", "refer", "winrar", "ghost", "korean", "team" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [ { "id": "Map2", "display_name": "Map2", "target": null }, { "id": "M2RAT", "display_name": "M2RAT", "target": null }, { "id": "Chinotto", "display_name": "Chinotto", "target": null }, { "id": "RedEyes", "display_name": "RedEyes", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "1157 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ed3a6912bea0bd527e197b", "name": "M2RAT, New Malware That Steals Sensitive Data", "description": "AhnLab details an incident where cybercriminals used a new malware they dubbed M2RAT delivered through phishing email attachments. The malware can exfiltrate process information, keylogging, and document and voice files, including those from connected portable devices. The malware will periodically captures screenshots, but the cybercriminal can issue a command to capture those when desired. M2RAT uses a shared memory section for C2 communication, the transfer of stolen data to the C2 without storing them in the compromised system, and data exfiltration. AhnLab attributed the attack to APT37 (RedEyes, ScarCruft), basing their attribution on the techniques employed have been used by APT37.", "modified": "2023-02-15T20:02:49.714000", "created": "2023-02-15T20:02:49.714000", "tags": [ "dw-osint-cib", "malware", "malwaretype/rat", "malware/m2rat", "threatactor", "threatactor/apt37" ], "references": [ "https://asec.ahnlab.com/ko/47622/" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 7 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "1163 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ecc7fe23f455ec3ea89c8e", "name": "Korean (HWP) malware using steganography techniques: RedEyes (ScarCruft)", "description": "The APT37 threat group uses a new evasive 'M2RAT' malware and steganography to target individuals for intelligence collection.\nAPT37, also known as 'RedEyes' or 'ScarCruft,' is a North Korean cyber espionage hacking group believed to be state-supported.", "modified": "2023-02-15T11:54:38.595000", "created": "2023-02-15T11:54:38.595000", "tags": [ "m2rat", "asec", "redeyes", "reply redeyes", "strong", "scarcruft", "ahnlab security", "center", "apt37", "windows", "middle", "persistence", "defense", "body", "postscript", "winrar", "magniber", "open", "media", "facebook", "footer", "insert" ], "references": [ "https://asec.ahnlab.com/ko/47622/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beep", "display_name": "Beep", "target": null }, { "id": "Xorist", "display_name": "Xorist", "target": null }, { "id": "GO", "display_name": "GO", "target": null }, { "id": "Clipper", "display_name": "Clipper", "target": null }, { "id": "Laplas Clipper", "display_name": "Laplas Clipper", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 4 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "1163 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ecaf626d50ba378064f81e", "name": "RedEyes(ScarCruft) hackers use new malware to steal data from Windows, phones - ASEC BLOG", "description": "Security researcher RedEyes has released a video of his research into post-mortem attacks on the internet, which he says could lead to the death of up to 100,000 people a year.", "modified": "2023-02-15T10:09:38.204000", "created": "2023-02-15T10:09:38.204000", "tags": [ "m2rat", "asec", "redeyes", "reply redeyes", "strong", "scarcruft", "ahnlab security", "center", "apt37", "windows", "middle", "persistence", "defense", "body", "postscript", "winrar", "magniber", "open", "media", "facebook", "footer", "insert" ], "references": [ "https://asec.ahnlab.com/ko/47622/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "URL": 3, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "1163 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ec858f61758d32a332822e", "name": "RedEyes hackers use new malware to steal data from Windows, phones", "description": "The APT37 threat group uses a new evasive 'M2RAT' malware and steganography to target individuals for intelligence collection.\n\nAPT37, also known as 'RedEyes' or 'ScarCruft,' is a North Korean cyber espionage hacking group believed to be state-supported.\n\nIn 2022, the hacking group was seen exploiting Internet Explorer zero-days and distributing a wide assortment of malware against targeted entities and individuals.", "modified": "2023-02-15T07:11:11.934000", "created": "2023-02-15T07:11:11.934000", "tags": [ "m2rat", "redeyes", "asec", "reply redeyes", "strong", "scarcruft", "apt37", "home", "ahnlab safety", "ahnlab", "middle", "persistence", "defense", "body", "postscript", "winrar", "magniber", "open", "facebook", "footer", "insert" ], "references": [ "https://asec.ahnlab.com/ko/47622/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "URL": 2, "domain": 4 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "1163 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://asec.ahnlab.com/en/48063/", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://asec.ahnlab.com/ko/47622/", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "APT37", "RedEyes", "@GRAMMERSoft" ], "malware_families": [ "Chinotto", "Clipper", "Map2", "Redeyes", "Beep", "Laplas clipper", "M2rat", "Xorist", "Go" ], "industries": [ "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-04-21T05:28:37.411000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 514, "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 466, "hostname": 580, "domain": 60, "email": 3, "CVE": 2, "JA3": 1 }, "indicator_count": 3181, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6400623068aef7080a745bfc", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)", "description": "", "modified": "2023-03-02T08:45:36.126000", "created": "2023-03-02T08:45:36.126000", "tags": [ "Hangul Word Processor", "steganography", "M2RAT", "Powershell", "JavaScript" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" } ], "industries": [], "TLP": "white", "cloned_from": "63f871120247156c9a460a8a", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 265, "modified_text": "1148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f871120247156c9a460a8a", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)", "description": "", "modified": "2023-02-24T08:10:58.496000", "created": "2023-02-24T08:10:58.496000", "tags": [ "Hangul Word Processor", "steganography", "M2RAT", "Powershell", "JavaScript" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" } ], "industries": [], "TLP": "white", "cloned_from": "63f870ef3132e181b236c949", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 265, "modified_text": "1154 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f870ef3132e181b236c949", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)", "description": "", "modified": "2023-02-24T08:10:23.038000", "created": "2023-02-24T08:10:23.038000", "tags": [ "Hangul Word Processor", "steganography", "M2RAT", "Powershell", "JavaScript" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" } ], "industries": [], "TLP": "white", "cloned_from": "63f67cceee1cc80ed9497ecf", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "1154 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f6631f6650a6ba34e223d6", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)", "description": "In January, the ASEC analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291) in Korea.The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the latest RedEyes group attack is the fact that they exploited the HWP EPS vulnerability using the steganography technique to distribute their malware.", "modified": "2023-02-22T18:48:44.991000", "created": "2023-02-22T18:46:55.423000", "tags": [ "redeyes", "chinotto", "m2rat", "map2", "redeyes group", "pe file", "mac address", "scarcruft", "run key", "asec analysis", "figure", "value", "powershell", "defense", "body", "example", "refer", "winrar", "ghost", "korean", "team" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [ { "id": "Map2", "display_name": "Map2", "target": null }, { "id": "M2RAT", "display_name": "M2RAT", "target": null }, { "id": "Chinotto", "display_name": "Chinotto", "target": null }, { "id": "RedEyes", "display_name": "RedEyes", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": "63f481d0c7674284f0677046", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "1156 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f481d0c7674284f0677046", "name": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) - ASEC BLOG", "description": "A new strain of malware has been found in the RedEyes threat group in South Korea, which uses a vulnerability in Hangul Word Processor to distribute malware, according to an analysis team from AhnLab.", "modified": "2023-02-21T08:33:20.090000", "created": "2023-02-21T08:33:20.090000", "tags": [ "redeyes", "chinotto", "m2rat", "map2", "redeyes group", "pe file", "mac address", "scarcruft", "run key", "asec analysis", "figure", "value", "powershell", "defense", "body", "example", "refer", "winrar", "ghost", "korean", "team" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "public": 1, "adversary": "RedEyes", "targeted_countries": [], "malware_families": [ { "id": "Map2", "display_name": "Map2", "target": null }, { "id": "M2RAT", "display_name": "M2RAT", "target": null }, { "id": "Chinotto", "display_name": "Chinotto", "target": null }, { "id": "RedEyes", "display_name": "RedEyes", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "1157 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ed3a6912bea0bd527e197b", "name": "M2RAT, New Malware That Steals Sensitive Data", "description": "AhnLab details an incident where cybercriminals used a new malware they dubbed M2RAT delivered through phishing email attachments. The malware can exfiltrate process information, keylogging, and document and voice files, including those from connected portable devices. The malware will periodically captures screenshots, but the cybercriminal can issue a command to capture those when desired. M2RAT uses a shared memory section for C2 communication, the transfer of stolen data to the C2 without storing them in the compromised system, and data exfiltration. AhnLab attributed the attack to APT37 (RedEyes, ScarCruft), basing their attribution on the techniques employed have been used by APT37.", "modified": "2023-02-15T20:02:49.714000", "created": "2023-02-15T20:02:49.714000", "tags": [ "dw-osint-cib", "malware", "malwaretype/rat", "malware/m2rat", "threatactor", "threatactor/apt37" ], "references": [ "https://asec.ahnlab.com/ko/47622/" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 7 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "1163 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ecc7fe23f455ec3ea89c8e", "name": "Korean (HWP) malware using steganography techniques: RedEyes (ScarCruft)", "description": "The APT37 threat group uses a new evasive 'M2RAT' malware and steganography to target individuals for intelligence collection.\nAPT37, also known as 'RedEyes' or 'ScarCruft,' is a North Korean cyber espionage hacking group believed to be state-supported.", "modified": "2023-02-15T11:54:38.595000", "created": "2023-02-15T11:54:38.595000", "tags": [ "m2rat", "asec", "redeyes", "reply redeyes", "strong", "scarcruft", "ahnlab security", "center", "apt37", "windows", "middle", "persistence", "defense", "body", "postscript", "winrar", "magniber", "open", "media", "facebook", "footer", "insert" ], "references": [ "https://asec.ahnlab.com/ko/47622/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beep", "display_name": "Beep", "target": null }, { "id": "Xorist", "display_name": "Xorist", "target": null }, { "id": "GO", "display_name": "GO", "target": null }, { "id": "Clipper", "display_name": "Clipper", "target": null }, { "id": "Laplas Clipper", "display_name": "Laplas Clipper", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "domain": 4 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "1163 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ecaf626d50ba378064f81e", "name": "RedEyes(ScarCruft) hackers use new malware to steal data from Windows, phones - ASEC BLOG", "description": "Security researcher RedEyes has released a video of his research into post-mortem attacks on the internet, which he says could lead to the death of up to 100,000 people a year.", "modified": "2023-02-15T10:09:38.204000", "created": "2023-02-15T10:09:38.204000", "tags": [ "m2rat", "asec", "redeyes", "reply redeyes", "strong", "scarcruft", "ahnlab security", "center", "apt37", "windows", "middle", "persistence", "defense", "body", "postscript", "winrar", "magniber", "open", "media", "facebook", "footer", "insert" ], "references": [ "https://asec.ahnlab.com/ko/47622/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "URL": 3, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "1163 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ec858f61758d32a332822e", "name": "RedEyes hackers use new malware to steal data from Windows, phones", "description": "The APT37 threat group uses a new evasive 'M2RAT' malware and steganography to target individuals for intelligence collection.\n\nAPT37, also known as 'RedEyes' or 'ScarCruft,' is a North Korean cyber espionage hacking group believed to be state-supported.\n\nIn 2022, the hacking group was seen exploiting Internet Explorer zero-days and distributing a wide assortment of malware against targeted entities and individuals.", "modified": "2023-02-15T07:11:11.934000", "created": "2023-02-15T07:11:11.934000", "tags": [ "m2rat", "redeyes", "asec", "reply redeyes", "strong", "scarcruft", "apt37", "home", "ahnlab safety", "ahnlab", "middle", "persistence", "defense", "body", "postscript", "winrar", "magniber", "open", "facebook", "footer", "insert" ], "references": [ "https://asec.ahnlab.com/ko/47622/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "URL": 2, "domain": 4 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "1163 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "wallup.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "wallup.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776997131.6583517 }