{ "type": "Domain", "indicator": "x4k.dev", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/x4k.dev", "alexa": "http://www.alexa.com/siteinfo/x4k.dev", "indicator": "x4k.dev", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3471930069, "indicator": "x4k.dev", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "62ec6b1800ba76b4dee4d7dc", "name": "frph.exe - URL golang.org/x/net/bpf - http://x4k.sh/get/EXFgs/OneDrive.exe", "description": "Created from Old Safari Booknark syncing to an old unremovabke icloud account \nhttps://bitcoin-fortune.com/profile", "modified": "2022-09-04T00:01:06.223000", "created": "2022-08-05T00:58:00.740000", "tags": [ "yunohost portal", "yunohost please", "apt", "memoryfile scan", "unicode", "uint8", "h ansi", "interface", "int32", "chan", "string", "l ansi", "entropy", "malicious" ], "references": [ "x4k.dev - urlscan.io.pdf", "x4k.dev - urlscan.io behaviours js.pdf", "x4k.dev - urlscan.io - simular too.pdf", "x4k.dev - urlscan.io content.pdf", "dom.pdf", "x4k.dev - urlscan.io dom .pdf", "https://hybrid-analysis.com/sample/42ef8fb1eadf609c84262dcfa569ba63c8e31dce25347ab0dd79bb778e7790a1/61f5ec666491152e286edf81", "https://golang.org/x/net/bpf", "Source", "http://x4k.sh/get/EXFgs/OneDrive.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 41, "URL": 80, "domain": 15, "hostname": 32, "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 1 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a6e06f1354cea3095da6b5", "name": "Exposing HelloXD Ransomware and x4k", "description": "Unit 42, a Palo Alto Networks research team, has identified and identified the developer of the HelloXD ransomware family, which has been performing double extortion attacks since November 2021, and is believed to be linked to x4k.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T06:59:59", "tags": [ "helloxd", "cobalt strike", "microbackdoor", "babuk", "figure", "lockbit", "palo alto", "networks", "github account", "windows", "unit", "ghost", "ransomware", "alliance", "crypter", "wildfire", "virustotal", "june", "august", "ivan", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HelloXD", "display_name": "HelloXD", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "MicroBackdoor", "display_name": "MicroBackdoor", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "URL": 1, "FileHash-MD5": 19, "FileHash-SHA1": 20, "FileHash-SHA256": 57, "email": 1, "hostname": 58 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/42ef8fb1eadf609c84262dcfa569ba63c8e31dce25347ab0dd79bb778e7790a1/61f5ec666491152e286edf81", "https://golang.org/x/net/bpf", "x4k.dev - urlscan.io behaviours js.pdf", "x4k.dev - urlscan.io.pdf", "Source", "x4k.dev - urlscan.io content.pdf", "http://x4k.sh/get/EXFgs/OneDrive.exe", "x4k.dev - urlscan.io - simular too.pdf", "dom.pdf", "https://unit42.paloaltonetworks.com/helloxd-ransomware/", "x4k.dev - urlscan.io dom .pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cobalt strike", "Microbackdoor", "Helloxd", "Babuk" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "62ec6b1800ba76b4dee4d7dc", "name": "frph.exe - URL golang.org/x/net/bpf - http://x4k.sh/get/EXFgs/OneDrive.exe", "description": "Created from Old Safari Booknark syncing to an old unremovabke icloud account \nhttps://bitcoin-fortune.com/profile", "modified": "2022-09-04T00:01:06.223000", "created": "2022-08-05T00:58:00.740000", "tags": [ "yunohost portal", "yunohost please", "apt", "memoryfile scan", "unicode", "uint8", "h ansi", "interface", "int32", "chan", "string", "l ansi", "entropy", "malicious" ], "references": [ "x4k.dev - urlscan.io.pdf", "x4k.dev - urlscan.io behaviours js.pdf", "x4k.dev - urlscan.io - simular too.pdf", "x4k.dev - urlscan.io content.pdf", "dom.pdf", "x4k.dev - urlscan.io dom .pdf", "https://hybrid-analysis.com/sample/42ef8fb1eadf609c84262dcfa569ba63c8e31dce25347ab0dd79bb778e7790a1/61f5ec666491152e286edf81", "https://golang.org/x/net/bpf", "Source", "http://x4k.sh/get/EXFgs/OneDrive.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 41, "URL": 80, "domain": 15, "hostname": 32, "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 1 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a6e06f1354cea3095da6b5", "name": "Exposing HelloXD Ransomware and x4k", "description": "Unit 42, a Palo Alto Networks research team, has identified and identified the developer of the HelloXD ransomware family, which has been performing double extortion attacks since November 2021, and is believed to be linked to x4k.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T06:59:59", "tags": [ "helloxd", "cobalt strike", "microbackdoor", "babuk", "figure", "lockbit", "palo alto", "networks", "github account", "windows", "unit", "ghost", "ransomware", "alliance", "crypter", "wildfire", "virustotal", "june", "august", "ivan", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/helloxd-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HelloXD", "display_name": "HelloXD", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "MicroBackdoor", "display_name": "MicroBackdoor", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "URL": 1, "FileHash-MD5": 19, "FileHash-SHA1": 20, "FileHash-SHA256": 57, "email": 1, "hostname": 58 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "x4k.dev", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "x4k.dev", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780276817.2173426 }