[{"reference": ["https://www.virustotal.com/gui/file/c4f6b01f3733bad7444c8f63eba6b4acd5e7c2a25b6fdb00b2e3ec880d43ed57/detection/f-c4f6b01f3733bad7444c8f63eba6b4acd5e7c2a25b6fdb00b2e3ec880d43ed57-1606699495"], "md5": [], "sha1": [], "sha256": ["c4f6b01f3733bad7444c8f63eba6b4acd5e7c2a25b6fdb00b2e3ec880d43ed57"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/c4f6b01f3733bad7444c8f63eba6b4acd5e7c2a25b6fdb00b2e3ec880d43ed57/detection/f-c4f6b01f3733bad7444c8f63eba6b4acd5e7c2a25b6fdb00b2e3ec880d43ed57-1606699495\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1421984095521890306", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1421984095521890306", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627862402000}, "timestamp": 1627887602}}, {"reference": ["https://twitter.com/abuse_ch/status/1421834305416933376", "https://bazaar.abuse.ch/browse/tag/blackmatter/", "https://github.com/strangerealintel/dailyioc/blob/master/2021-08-01/blackmatter/ran_blackmatter_aug_2021_1.yara"], "md5": [], "sha1": [], "sha256": ["072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486"], "mail": [], "ip": [], "domain": ["paymenthacks.com"], "url": [], "tweet": {"user": "Arkbird_SOLG", "tweet": "The sample of #BlackMatter is unpacked from the upx packed sample :\n072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486\nAdd another one in bazaar :\n https://bazaar.abuse.ch/browse/tag/BlackMatter/\nYara :\n https://github.com/StrangerealIntel/DailyIOC/blob/master/2021-08-01/Blackmatter/RAN_BlackMatter_Aug_2021_1.yara\nIOC :\npaymenthacks.com https://twitter.com/abuse_ch/status/1421834305416933376", "id": "1421984944792944643", "retweets": 19, "link": "https://twitter.com/Arkbird_SOLG/status/1421984944792944643", "mentions": [], "hashtags": ["#BlackMatter"], "date": {"$date": 1627862604000}, "timestamp": 1627887804}}, {"reference": ["https://www.virustotal.com/gui/file/24edc9fbeb8651e776eae60071c67cafa0fb26875ac7bacbcb508e245be933c0/detection/f-24edc9fbeb8651e776eae60071c67cafa0fb26875ac7bacbcb508e245be933c0-1590977118"], "md5": [], "sha1": [], "sha256": ["24edc9fbeb8651e776eae60071c67cafa0fb26875ac7bacbcb508e245be933c0"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 66\nVirusTotal: https://www.virustotal.com/gui/file/24edc9fbeb8651e776eae60071c67cafa0fb26875ac7bacbcb508e245be933c0/detection/f-24edc9fbeb8651e776eae60071c67cafa0fb26875ac7bacbcb508e245be933c0-1590977118\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1421987869934112770", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1421987869934112770", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627863302000}, "timestamp": 1627888502}}, {"reference": ["https://www.virustotal.com/gui/file/9905775f8e3ec44e2b872fafd83bf6afcab40307934865d3e99ff461f266326f/detection/f-9905775f8e3ec44e2b872fafd83bf6afcab40307934865d3e99ff461f266326f-1620518638"], "md5": [], "sha1": [], "sha256": ["9905775f8e3ec44e2b872fafd83bf6afcab40307934865d3e99ff461f266326f"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 58\nVirusTotal: https://www.virustotal.com/gui/file/9905775f8e3ec44e2b872fafd83bf6afcab40307934865d3e99ff461f266326f/detection/f-9905775f8e3ec44e2b872fafd83bf6afcab40307934865d3e99ff461f266326f-1620518638\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1421992902817943557", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1421992902817943557", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627864502000}, "timestamp": 1627889702}}, {"reference": ["https://bazaar.abuse.ch/verify-ua/?url="], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["twinybots.ch"], "url": ["http://twinybots.ch"], "tweet": {"user": "a_jeddab", "tweet": "Browse malware samples #UX #ransomware via http://twinybots.ch https://bazaar.abuse.ch/verify-ua/?url= L3NhbXBsZS8yMmQ3ZDY3YzNhZjEwYjFhMzdmMjc3ZWJhYmUyZDFlYjRmZDI1YWZiZDY0MzdkNDM3NzQwMGUxNDhiY2MwOGQ2Lw= = ", "id": "1421993250039205888", "retweets": 1, "link": "https://twitter.com/a_jeddab/status/1421993250039205888", "mentions": [], "hashtags": ["#UX", "#ransomware"], "date": {"$date": 1627864584000}, "timestamp": 1627889784}}, {"reference": ["https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["147.135.71.175"], "domain": [], "url": [], "tweet": {"user": "bad_packets", "tweet": "Mass scanning activity detected from 147.135.71.175 (\ud83c\uddfa\ud83c\uddf8) checking for publicly accessible AWS CLI ( https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) configuration and credential files. #threatintel", "id": "1421994561916735494", "retweets": 14, "link": "https://twitter.com/bad_packets/status/1421994561916735494", "mentions": [], "hashtags": ["#threatintel"], "date": {"$date": 1627864897000}, "timestamp": 1627890097}}, {"reference": ["https://bazaar.abuse.ch/sample/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6/"], "md5": [], "sha1": [], "sha256": ["22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "dexderrewedd447", "tweet": "\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2 BlackMatters\uff08DarkSide\u306e\u30ea\u30d6\u30e9\u30f3\u30c7\u30a3\u30f3\u30b0\uff09\u306e\u30b5\u30f3\u30d7\u30eb\nMalwareBazaar Database \n https://bazaar.abuse.ch/sample/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6/", "id": "1421997557689946112", "retweets": 1, "link": "https://twitter.com/dexderrewedd447/status/1421997557689946112", "mentions": [], "hashtags": [], "date": {"$date": 1627865611000}, "timestamp": 1627890811}}, {"reference": ["https://www.virustotal.com/gui/file/a0dc16ce121ee3afce49807d7fc755788f924824a84dd24d1e324304004f0176/detection/f-a0dc16ce121ee3afce49807d7fc755788f924824a84dd24d1e324304004f0176-1590020489"], "md5": [], "sha1": [], "sha256": ["a0dc16ce121ee3afce49807d7fc755788f924824a84dd24d1e324304004f0176"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 65\nVirusTotal: https://www.virustotal.com/gui/file/a0dc16ce121ee3afce49807d7fc755788f924824a84dd24d1e324304004f0176/detection/f-a0dc16ce121ee3afce49807d7fc755788f924824a84dd24d1e324304004f0176-1590020489\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1421997938201530370", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1421997938201530370", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627865702000}, "timestamp": 1627890902}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["getbuxcrypto.co"], "url": ["http://getbuxcrypto.co"], "tweet": {"user": "ActorExpose", "tweet": "payment to hxxp://getbuxcrypto.co (dead domain)", "id": "1422001587258597376", "retweets": 1, "link": "https://twitter.com/ActorExpose/status/1422001587258597376", "mentions": [], "hashtags": [], "date": {"$date": 1627866572000}, "timestamp": 1627891772}}, {"reference": ["https://twitter.com/phishunt_io/status/1422029881756508167/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["208.113.171.20"], "domain": ["www.bancaporinternet.interbank-cuenta.iternk.com"], "url": [], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83c\udf10 /www.bancaporinternet.interbank-cuenta.iternk.com/\n\ud83d\udea9 208.113.171.20\n\u2601 DREAMHOST-AS\n\ud83d\udd12 R3 https://twitter.com/phishunt_io/status/1422029881756508167/photo/1", "id": "1422029881756508167", "retweets": 0, "link": "https://twitter.com/phishunt_io/status/1422029881756508167", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1627873318000}, "timestamp": 1627898518}}, {"reference": ["http://virustotal.com/gui/url/f7e0cfb463f1d25b9b82ca57d39add8cb0a22cebfe13e786204355107786cfda/detection", "https://www.virustotal.com/gui/url/c80da323ccc5f418b9071678e4891ff51d6272f4e619b0df6e8d324e46fbbc16/detection", "https://www.virustotal.com/gui/url/663dc8af8c2c332ad9a113890e0a1a195d50ae9ad438e0206948795593a63949/detection", "https://www.virustotal.com/gui/url/1473b2d1bbf322cdb98c5568e5578d01adb5d5cdb5f47e00cadd1945d5051c40/detection", "https://www.virustotal.com/gui/url/48235375b97d68626f546e887ef2d271bd25b4c6c070b449efe1784626e13337/detection"], "md5": [], "sha1": [], "sha256": ["c80da323ccc5f418b9071678e4891ff51d6272f4e619b0df6e8d324e46fbbc16", "f7e0cfb463f1d25b9b82ca57d39add8cb0a22cebfe13e786204355107786cfda", "48235375b97d68626f546e887ef2d271bd25b4c6c070b449efe1784626e13337", "663dc8af8c2c332ad9a113890e0a1a195d50ae9ad438e0206948795593a63949", "1473b2d1bbf322cdb98c5568e5578d01adb5d5cdb5f47e00cadd1945d5051c40"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "jjrruiz", "tweet": "@Bitly Proofs:\n* https://www.virustotal.com/gui/url/c80da323ccc5f418b9071678e4891ff51d6272f4e619b0df6e8d324e46fbbc16/detection\n* http://virustotal.com/gui/url/f7e0cfb463f1d25b9b82ca57d39add8cb0a22cebfe13e786204355107786cfda/detection\n* https://www.virustotal.com/gui/url/48235375b97d68626f546e887ef2d271bd25b4c6c070b449efe1784626e13337/detection\n* https://www.virustotal.com/gui/url/663dc8af8c2c332ad9a113890e0a1a195d50ae9ad438e0206948795593a63949/detection\n* https://www.virustotal.com/gui/url/1473b2d1bbf322cdb98c5568e5578d01adb5d5cdb5f47e00cadd1945d5051c40/detection", "id": "1422065550889525248", "retweets": 0, "link": "https://twitter.com/jjrruiz/status/1422065550889525248", "mentions": ["@Bitly"], "hashtags": [], "date": {"$date": 1627881822000}, "timestamp": 1627907022}}, {"reference": ["https://www.virustotal.com/gui/file/dc9fcb210bb6436bee5b9cac39a3a5f9dd06a2e5ebf4062cf0b0e66d14d5236f/detection"], "md5": [], "sha1": [], "sha256": ["dc9fcb210bb6436bee5b9cac39a3a5f9dd06a2e5ebf4062cf0b0e66d14d5236f"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "pcrisk", "tweet": "Stop/Djvu ransomware. extension: .nooa. Sample: https://www.virustotal.com/gui/file/dc9fcb210bb6436bee5b9cac39a3a5f9dd06a2e5ebf4062cf0b0e66d14d5236f/detection @struppigel @demonslay335 @Amigo_A_", "id": "1422067867990769665", "retweets": 1, "link": "https://twitter.com/pcrisk/status/1422067867990769665", "mentions": ["@struppigel", "@demonslay335", "@Amigo_A_"], "hashtags": [], "date": {"$date": 1627882375000}, "timestamp": 1627907575}}, {"reference": ["https://www.virustotal.com/gui/file/9e50377619800e129a6d65d93d0252e670e273bc50eba4bb0c76d7b2e6d1852c/detection"], "md5": [], "sha1": [], "sha256": ["9e50377619800e129a6d65d93d0252e670e273bc50eba4bb0c76d7b2e6d1852c"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "pcrisk", "tweet": "Stop/Djvu ransomware. extension: .muuq. Sample: https://www.virustotal.com/gui/file/9e50377619800e129a6d65d93d0252e670e273bc50eba4bb0c76d7b2e6d1852c/detection @struppigel @demonslay335 @Amigo_A_", "id": "1422067926027407362", "retweets": 1, "link": "https://twitter.com/pcrisk/status/1422067926027407362", "mentions": ["@struppigel", "@demonslay335", "@Amigo_A_"], "hashtags": [], "date": {"$date": 1627882388000}, "timestamp": 1627907588}}, {"reference": ["https://twitter.com/phishunt_io/status/1422090595137376257/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["212.95.142.34"], "domain": ["amazon.a61y.cn"], "url": ["amazon.a61y.cn/signin/homepage"], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83c\udf10 /amazon.a61y.cn/signin/homepage\n\ud83d\udea9 212.95.142.34\n\u2601 DDOSING-BGP-NETWORK\n\ud83d\udd12 R3 https://twitter.com/phishunt_io/status/1422090595137376257/photo/1", "id": "1422090595137376257", "retweets": 0, "link": "https://twitter.com/phishunt_io/status/1422090595137376257", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1627887793000}, "timestamp": 1627912993}}, {"reference": ["https://www.virustotal.com/gui/file/b3bb45e256fd834f4fe8276d113a5fbd3abf8ea4122785678d5a1620b5b9c171/detection/f-b3bb45e256fd834f4fe8276d113a5fbd3abf8ea4122785678d5a1620b5b9c171-1622421062"], "md5": [], "sha1": [], "sha256": ["b3bb45e256fd834f4fe8276d113a5fbd3abf8ea4122785678d5a1620b5b9c171"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 61\nVirusTotal: https://www.virustotal.com/gui/file/b3bb45e256fd834f4fe8276d113a5fbd3abf8ea4122785678d5a1620b5b9c171/detection/f-b3bb45e256fd834f4fe8276d113a5fbd3abf8ea4122785678d5a1620b5b9c171-1622421062\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422096083799482370", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422096083799482370", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627889102000}, "timestamp": 1627914302}}, {"reference": ["https://www.virustotal.com/gui/file/a414c88ea3abea18940a7cfa966006ec106c8194854dca735791340516a6ddbd/detection/f-a414c88ea3abea18940a7cfa966006ec106c8194854dca735791340516a6ddbd-1619634918"], "md5": [], "sha1": [], "sha256": ["a414c88ea3abea18940a7cfa966006ec106c8194854dca735791340516a6ddbd"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 57\nVirusTotal: https://www.virustotal.com/gui/file/a414c88ea3abea18940a7cfa966006ec106c8194854dca735791340516a6ddbd/detection/f-a414c88ea3abea18940a7cfa966006ec106c8194854dca735791340516a6ddbd-1619634918\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422117475781595139", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422117475781595139", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627894202000}, "timestamp": 1627919402}}, {"reference": ["https://twitter.com/phishunt_io/status/1422120302444785664/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["52.250.66.44"], "domain": ["www.instagramsecuritycentre.com"], "url": ["www.instagramsecuritycentre.com/help/1268496854"], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83d\udd17 /www.instagramsecuritycentre.com/help/1268496854/\n\ud83d\udea9 52.250.66.44\n\u2601 MICROSOFT-CORP-MSN-AS-BLOCK\n\ud83d\udd12 R3 https://twitter.com/phishunt_io/status/1422120302444785664/photo/1", "id": "1422120302444785664", "retweets": 0, "link": "https://twitter.com/phishunt_io/status/1422120302444785664", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1627894876000}, "timestamp": 1627920076}}, {"reference": ["https://www.virustotal.com/gui/file/8965877849613744e3281e82a15d4f138699dfedb25a6a0d849304ca7ff908df/detection/f-8965877849613744e3281e82a15d4f138699dfedb25a6a0d849304ca7ff908df-1576455980"], "md5": [], "sha1": [], "sha256": ["8965877849613744e3281e82a15d4f138699dfedb25a6a0d849304ca7ff908df"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/8965877849613744e3281e82a15d4f138699dfedb25a6a0d849304ca7ff908df/detection/f-8965877849613744e3281e82a15d4f138699dfedb25a6a0d849304ca7ff908df-1576455980\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422121252139913216", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422121252139913216", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627895102000}, "timestamp": 1627920302}}, {"reference": ["https://twitter.com/castellumlabs/status/1422126840538288132/photo/1", "https://bazaar.abuse.ch/sample/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6/"], "md5": [], "sha1": [], "sha256": ["22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "CastellumLabs", "tweet": "Ransomware Alert . !! BlackMatter !!\n\n(by Christiaan Beek on malwarebazaar database)\n\n https://bazaar.abuse.ch/sample/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6/ https://twitter.com/CastellumLabs/status/1422126840538288132/photo/1", "id": "1422126840538288132", "retweets": 2, "link": "https://twitter.com/CastellumLabs/status/1422126840538288132", "mentions": [], "hashtags": [], "date": {"$date": 1627896435000}, "timestamp": 1627921635}}, {"reference": ["https://www.virustotal.com/gui/file/5e433caafe8379066aefeaa25f810721cb869a91cba0fec46434ce9282d8c421/detection/f-5e433caafe8379066aefeaa25f810721cb869a91cba0fec46434ce9282d8c421-1586996639"], "md5": [], "sha1": [], "sha256": ["5e433caafe8379066aefeaa25f810721cb869a91cba0fec46434ce9282d8c421"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 67\nVirusTotal: https://www.virustotal.com/gui/file/5e433caafe8379066aefeaa25f810721cb869a91cba0fec46434ce9282d8c421/detection/f-5e433caafe8379066aefeaa25f810721cb869a91cba0fec46434ce9282d8c421-1586996639\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422130056244174849", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422130056244174849", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627897201000}, "timestamp": 1627922401}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["maldatabase.com"], "url": ["https://maldatabase.com"], "tweet": {"user": "maldatabase", "tweet": "Top malware families analyzed last week:\n\n1\ufe0f\u20e3 #AZORult\n2\ufe0f\u20e3 #AgentTesla\n3\ufe0f\u20e3 #Dridex\n4\ufe0f\u20e3 #RedLine\n5\ufe0f\u20e3 #TrickBot\n6\ufe0f\u20e3 #LokiBot\n7\ufe0f\u20e3 #Ursnif\n8\ufe0f\u20e3 #Predator\n9\ufe0f\u20e3 #Arkei\n\ud83d\udd1f #njRAT\n\n#Malware #ThreatIntelligence #threatintel #infosec #cybersecurity\n https://maldatabase.com", "id": "1422130895272779778", "retweets": 4, "link": "https://twitter.com/maldatabase/status/1422130895272779778", "mentions": [], "hashtags": ["#AZORult", "#AgentTesla", "#Dridex", "#RedLine", "#TrickBot", "#LokiBot", "#Ursnif", "#Predator", "#Arkei", "#njRAT", "#Malware", "#ThreatIntelligence", "#threatintel", "#infosec", "#cybersecurity"], "date": {"$date": 1627897402000}, "timestamp": 1627922602}}, {"reference": ["https://twitter.com/reecdeep/status/1422135061839761408/photo/1"], "md5": ["2D7959514A72090CB5043E447AC3FDE1"], "sha1": [], "sha256": [], "mail": [], "ip": ["79.134.225.104"], "domain": [], "url": ["https://onedrive.live.com/download?cid", "79.134.225.104:8946"], "tweet": {"user": "reecdeep", "tweet": "#GuLoader #Remcos targets #Italy \ud83c\uddee\ud83c\uddf9\n\n\"COPIA SWIFT PAGAMENTO\"\n7z: 2D7959514A72090CB5043E447AC3FDE1\n\n\ud83d\udc49hxxps://onedrive.live.com/download?cid= 9F85AF9FEBE5FBF3&resid= 9F85AF9FEBE5FBF3%21119&authkey= AF8xXCv-_H1NlS4\n\n\ud83d\udd2579.134.225.104:8946\n#infosec #CyberSecurity #cybercrime #Security https://twitter.com/reecdeep/status/1422135061839761408/photo/1", "id": "1422135061839761408", "retweets": 4, "link": "https://twitter.com/reecdeep/status/1422135061839761408", "mentions": [], "hashtags": ["#GuLoader", "#Remcos", "#Italy", "#infosec", "#CyberSecurity", "#cybercrime", "#Security"], "date": {"$date": 1627898395000}, "timestamp": 1627923595}}, {"reference": ["https://twitter.com/siri_urz/status/1422140400849104896/photo/1"], "md5": ["5210735409235C1AAF674FEFDDD33E35"], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "siri_urz", "tweet": "5210735409235C1AAF674FEFDDD33E35 #Ransomware ncorbuk https://twitter.com/siri_urz/status/1422140400849104896/photo/1", "id": "1422140400849104896", "retweets": 6, "link": "https://twitter.com/siri_urz/status/1422140400849104896", "mentions": [], "hashtags": ["#Ransomware"], "date": {"$date": 1627899668000}, "timestamp": 1627924868}}, {"reference": ["https://www.virustotal.com/gui/domain/arrmark.com"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["arrmark.com"], "url": [], "tweet": {"user": "Certego_Intel", "tweet": "#Malware #BitRat #Blocklist\nDomain: arrmark.com\nVirusTotal: https://www.virustotal.com/gui/domain/arrmark.com\n#CyberSecurity #ThreatIntel (bot generated)", "id": "1422140713618362368", "retweets": 2, "link": "https://twitter.com/Certego_Intel/status/1422140713618362368", "mentions": [], "hashtags": ["#Malware", "#BitRat", "#Blocklist", "#CyberSecurity", "#ThreatIntel"], "date": {"$date": 1627899742000}, "timestamp": 1627924942}}, {"reference": ["https://www.virustotal.com/gui/file/5132f777f83b032065902f94d2cc7d54ce1b113cb4514fc065fd965faa4599c6/detection/f-5132f777f83b032065902f94d2cc7d54ce1b113cb4514fc065fd965faa4599c6-1579183489"], "md5": [], "sha1": [], "sha256": ["5132f777f83b032065902f94d2cc7d54ce1b113cb4514fc065fd965faa4599c6"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/5132f777f83b032065902f94d2cc7d54ce1b113cb4514fc065fd965faa4599c6/detection/f-5132f777f83b032065902f94d2cc7d54ce1b113cb4514fc065fd965faa4599c6-1579183489\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422141384379731972", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422141384379731972", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627899902000}, "timestamp": 1627925102}}, {"reference": ["https://www.virustotal.com/gui/file/d8abe06aa4f11e0ffaee084ed9bcf74b060852eeba43042bb0ed6999ed003906/detection/f-d8abe06aa4f11e0ffaee084ed9bcf74b060852eeba43042bb0ed6999ed003906-1601191985"], "md5": [], "sha1": [], "sha256": ["d8abe06aa4f11e0ffaee084ed9bcf74b060852eeba43042bb0ed6999ed003906"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/d8abe06aa4f11e0ffaee084ed9bcf74b060852eeba43042bb0ed6999ed003906/detection/f-d8abe06aa4f11e0ffaee084ed9bcf74b060852eeba43042bb0ed6999ed003906-1601191985\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422142639143636999", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422142639143636999", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627900201000}, "timestamp": 1627925401}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["13.64.0.0"], "domain": ["join-grup-xxxx80.duckdns.org"], "url": ["http://join-grup-xxxx80.duckdns.org/login.php", "13.64.0.0/11"], "tweet": {"user": "ActorExpose", "tweet": "Active Phish\n\nhxxp://join-grup-xxxx80.duckdns.org/login.php\n\nAS number: AS8075\nAS name (ISP): Microsoft Corporation \nIP-range/subnet: 13.64.0.0/11\n\n@DuckDNS", "id": "1422142724371779586", "retweets": 1, "link": "https://twitter.com/ActorExpose/status/1422142724371779586", "mentions": ["@DuckDNS"], "hashtags": [], "date": {"$date": 1627900222000}, "timestamp": 1627925422}}, {"reference": ["https://bazaar.abuse.ch/browse/tag/replicationoperationinformation/", "https://bazaar.abuse.ch/browse/tag/adriatik%20port%20servis%20d.o.o./", "https://twitter.com/jameswt_mht/status/1422145016928088071/photo/1", "https://bazaar.abuse.ch/browse/tag/45.140.17.75/", "https://bazaar.abuse.ch/browse/tag/185.215.113.86/"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["185.215.113.86", "45.140.17.75"], "domain": [], "url": [], "tweet": {"user": "JAMESWT_MHT", "tweet": "Collections of #signed \"ADRIATIK PORT SERVIS. d.o.o.\"\nincluding #RedLineStealer/#CobaltStrike\n https://bazaar.abuse.ch/browse/tag/ADRIATIK%20PORT%20SERVIS%20d.o.o./\nRelated Sample including #signed \"ReplicationOperationInformation\"\n https://bazaar.abuse.ch/browse/tag/185.215.113.86/\n https://bazaar.abuse.ch/browse/tag/45.140.17.75/\n https://bazaar.abuse.ch/browse/tag/ReplicationOperationInformation/\nH/T @malwrhunterteam https://twitter.com/JAMESWT_MHT/status/1422145016928088071/photo/1", "id": "1422145016928088071", "retweets": 13, "link": "https://twitter.com/JAMESWT_MHT/status/1422145016928088071", "mentions": ["@malwrhunterteam"], "hashtags": ["#signed", "#RedLineStealer", "#CobaltStrike", "#signed"], "date": {"$date": 1627900768000}, "timestamp": 1627925968}}, {"reference": ["https://www.virustotal.com/gui/file/84159df1c23874f225b96255bb67ee1b1a8c65abf4a1fbcbeac0e7a737b445e0/detection/f-84159df1c23874f225b96255bb67ee1b1a8c65abf4a1fbcbeac0e7a737b445e0-1618878667"], "md5": [], "sha1": [], "sha256": ["84159df1c23874f225b96255bb67ee1b1a8c65abf4a1fbcbeac0e7a737b445e0"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 60\nVirusTotal: https://www.virustotal.com/gui/file/84159df1c23874f225b96255bb67ee1b1a8c65abf4a1fbcbeac0e7a737b445e0/detection/f-84159df1c23874f225b96255bb67ee1b1a8c65abf4a1fbcbeac0e7a737b445e0-1618878667\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422146415879413763", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422146415879413763", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627901102000}, "timestamp": 1627926302}}, {"reference": ["https://www.virustotal.com/gui/url/b3f39a1960cd8a9bcb9712a3d1a4f9fc0af47ae908a400b865bdc0837bd84ce4/detection"], "md5": [], "sha1": [], "sha256": ["b3f39a1960cd8a9bcb9712a3d1a4f9fc0af47ae908a400b865bdc0837bd84ce4"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "Muddasaryamin", "tweet": " https://www.virustotal.com/gui/url/b3f39a1960cd8a9bcb9712a3d1a4f9fc0af47ae908a400b865bdc0837bd84ce4/detection", "id": "1422151427720421380", "retweets": 0, "link": "https://twitter.com/Muddasaryamin/status/1422151427720421380", "mentions": [], "hashtags": [], "date": {"$date": 1627902297000}, "timestamp": 1627927497}}, {"reference": ["https://twitter.com/reecdeep/status/1422152570278195204/photo/1"], "md5": ["E9DA84B456E6537B9AC7112ABAC626FE"], "sha1": [], "sha256": [], "mail": ["admin@3aglobalengg.com"], "ip": [], "domain": ["mail.3aglobalengg.com", "3aglobalengg.com"], "url": [], "tweet": {"user": "reecdeep", "tweet": "#AgentTesla #Malware targeting #Italy \ud83c\uddee\ud83c\uddf9\n\n\"NUOVA RICHIESTA D'ORDINE\"\nIMG: E9DA84B456E6537B9AC7112ABAC626FE\n\n\ud83d\udd25\nadmin@3aglobalengg.com\nmail.3aglobalengg.com\n\n#infosec #CyberSecurity #cybercrime #Security https://twitter.com/reecdeep/status/1422152570278195204/photo/1", "id": "1422152570278195204", "retweets": 7, "link": "https://twitter.com/reecdeep/status/1422152570278195204", "mentions": ["@3aglobalengg"], "hashtags": ["#AgentTesla", "#Malware", "#Italy", "#infosec", "#CyberSecurity", "#cybercrime", "#Security"], "date": {"$date": 1627902569000}, "timestamp": 1627927769}}, {"reference": ["https://translate.google.com/translate?hl=", "https://twitter.com/timele9527/status/1422155656040095749/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["mp.weixin.qq.com"], "url": ["https://mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ"], "tweet": {"user": "Timele9527", "tweet": "#APT threat analysis report about #CNC #APT-C-48\uff1a\n\u201cHunting for the sky-CNC (APT-C-48) organized the latest attack activity disclosure\u201c\nreport\uff1a\n https://mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ\n https://translate.google.com/translate?hl= &sl= zh-CN&tl= en&u= https%3A%2F%2Fmp.weixin.qq.com%2Fs%2FdMFyLxsErYUZX7BQyBL9YQ https://twitter.com/Timele9527/status/1422155656040095749/photo/1", "id": "1422155656040095749", "retweets": 11, "link": "https://twitter.com/Timele9527/status/1422155656040095749", "mentions": [], "hashtags": ["#APT", "#CNC", "#APT"], "date": {"$date": 1627903305000}, "timestamp": 1627928505}}, {"reference": ["https://www.virustotal.com/gui/file/910ea768091b49aee2f7726b6ddff2a7bd71617d943982b1c3de4b708f2464a8/detection/f-910ea768091b49aee2f7726b6ddff2a7bd71617d943982b1c3de4b708f2464a8-1608061417"], "md5": [], "sha1": [], "sha256": ["910ea768091b49aee2f7726b6ddff2a7bd71617d943982b1c3de4b708f2464a8"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 62\nVirusTotal: https://www.virustotal.com/gui/file/910ea768091b49aee2f7726b6ddff2a7bd71617d943982b1c3de4b708f2464a8/detection/f-910ea768091b49aee2f7726b6ddff2a7bd71617d943982b1c3de4b708f2464a8-1608061417\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422157741792051204", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422157741792051204", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627903802000}, "timestamp": 1627929002}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["www.chilimusic.co.kr"], "url": ["http://www.chilimusic.co.kr/menu3/discview.php?discidx"], "tweet": {"user": "ActorExpose", "tweet": "damaged and failed webshell on this domain\n\nhxxp://www.chilimusic.co.kr/menu3/discview.php?discidx= 290\n\n@malwaremansys @2RunJack2", "id": "1422163092700532741", "retweets": 1, "link": "https://twitter.com/ActorExpose/status/1422163092700532741", "mentions": ["@malwaremansys", "@2RunJack2"], "hashtags": [], "date": {"$date": 1627905078000}, "timestamp": 1627930278}}, {"reference": ["https://www.virustotal.com/gui/file/c73a72c706487f41e52fa614aff1daef57737bc0421ee90586ed4443d6640e98/detection/f-c73a72c706487f41e52fa614aff1daef57737bc0421ee90586ed4443d6640e98-1527763663"], "md5": [], "sha1": [], "sha256": ["c73a72c706487f41e52fa614aff1daef57737bc0421ee90586ed4443d6640e98"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 57\nVirusTotal: https://www.virustotal.com/gui/file/c73a72c706487f41e52fa614aff1daef57737bc0421ee90586ed4443d6640e98/detection/f-c73a72c706487f41e52fa614aff1daef57737bc0421ee90586ed4443d6640e98-1527763663\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422167805819031557", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422167805819031557", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627906202000}, "timestamp": 1627931402}}, {"reference": [], "md5": [], "sha1": [], "sha256": ["fcae65bbf9ea0e04b7c5788d544185f8fcae65bbf9ea0e04b7c5788d544185f8"], "mail": [], "ip": [], "domain": ["royalrentacarpak.com"], "url": ["http://royalrentacarpak.com/wp-content/th/sk/SCX/home/login.php?cmd"], "tweet": {"user": "ActorExpose", "tweet": "Active Phish (compromised)\n\nhxxp://royalrentacarpak.com/wp-content/th/sk/SCX/home/login.php?cmd= login_submit&id= fcae65bbf9ea0e04b7c5788d544185f8fcae65bbf9ea0e04b7c5788d544185f8&session= fcae65bbf9ea0e04b7c5788d544185f8fcae65bbf9ea0e04b7c5788d544185f8\n\n@douglasmun @CSAFCert", "id": "1422169462225182725", "retweets": 1, "link": "https://twitter.com/ActorExpose/status/1422169462225182725", "mentions": ["@douglasmun", "@CSAFCert"], "hashtags": [], "date": {"$date": 1627906597000}, "timestamp": 1627931797}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["162.241.0.0"], "domain": ["kehelahwims.com"], "url": ["http://kehelahwims.com/grace", "162.241.0.0/16"], "tweet": {"user": "ActorExpose", "tweet": "Active Phish \n\nhxxp://kehelahwims.com/grace/\n\nAS number: AS46606\nAS name (ISP): Unified Layer \nIP-range/subnet: 162.241.0.0/16\n\nNuKe @Spam404", "id": "1422170145859031040", "retweets": 1, "link": "https://twitter.com/ActorExpose/status/1422170145859031040", "mentions": ["@Spam404"], "hashtags": [], "date": {"$date": 1627906760000}, "timestamp": 1627931960}}, {"reference": ["https://www.virustotal.com/gui/file/d4e2dc183bb421fd3f4b615de499e5d9869fef4c4bcc3bc7933e044638b0df2a/detection/f-d4e2dc183bb421fd3f4b615de499e5d9869fef4c4bcc3bc7933e044638b0df2a-1617563109"], "md5": [], "sha1": [], "sha256": ["d4e2dc183bb421fd3f4b615de499e5d9869fef4c4bcc3bc7933e044638b0df2a"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 60\nVirusTotal: https://www.virustotal.com/gui/file/d4e2dc183bb421fd3f4b615de499e5d9869fef4c4bcc3bc7933e044638b0df2a/detection/f-d4e2dc183bb421fd3f4b615de499e5d9869fef4c4bcc3bc7933e044638b0df2a-1617563109\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422172840032448514", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422172840032448514", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627907402000}, "timestamp": 1627932602}}, {"reference": [], "md5": ["3f9a28e8c057e7ea7ccf15a4db81f362", "ba375d0625001102fc1f2ccb6f582d91", "e6b0276bc3f541d8ff1ebb1b59c8bd29", "598c53bfef81e489375f09792e487f1a", "d0512f2063cbd79fb0f770817cc81ab3"], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["x1.c.lencr.org", "mojobiden.com", "paymenthacks.com"], "url": ["http://x1.c.lencr.org", "https://mojobiden.com", "https://paymenthacks.com"], "tweet": {"user": "pancak3lullz", "tweet": "#BlackMatter IOCs\nhxxps://mojobiden.com/\nhxxp://x1.c.lencr.org/\nhxxps://paymenthacks.com/\n\n3f9a28e8c057e7ea7ccf15a4db81f362\nba375d0625001102fc1f2ccb6f582d91\ne6b0276bc3f541d8ff1ebb1b59c8bd29\n598c53bfef81e489375f09792e487f1a\nd0512f2063cbd79fb0f770817cc81ab3", "id": "1422189641793515520", "retweets": 5, "link": "https://twitter.com/pancak3lullz/status/1422189641793515520", "mentions": [], "hashtags": ["#BlackMatter"], "date": {"$date": 1627911408000}, "timestamp": 1627936608}}, {"reference": ["https://app.any.run/tasks/e9dfe8ff-b4a8-4262-8269-f7f2a1d11f29"], "md5": [], "sha1": [], "sha256": ["a66f69b2c2320fa2bb4b6ab429dd318903db14a56418acc54ecffac8c9592afe"], "mail": [], "ip": ["143.198.78.177"], "domain": [], "url": ["https://143.198.78.177/out/static/page"], "tweet": {"user": "James_inthe_box", "tweet": "Fresh #bazaloader via password'd http://Info.zip -> doc \n\n https://app.any.run/tasks/e9dfe8ff-b4a8-4262-8269-f7f2a1d11f29\n\ndll hash:\na66f69b2c2320fa2bb4b6ab429dd318903db14a56418acc54ecffac8c9592afe\n\nc2: https://143.198.78.177/out/static/page", "id": "1422191753218576392", "retweets": 12, "link": "https://twitter.com/James_inthe_box/status/1422191753218576392", "mentions": [], "hashtags": ["#bazaloader"], "date": {"$date": 1627911911000}, "timestamp": 1627937111}}, {"reference": ["https://twitter.com/reecdeep/status/1422191780833988616/photo/1"], "md5": ["4EBC548DF517CAE4C7E3122E9C75EDE6"], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["himarkh.xyz"], "url": [], "tweet": {"user": "reecdeep", "tweet": "Malicious XLL file built using Excel DNA is spawning service.exe process as #Vidar #Malware\n\n\"PURCHASE ORDER.xll\"\n4EBC548DF517CAE4C7E3122E9C75EDE6\n\n\ud83d\udd25c2: himarkh.xyz\n\n#infosec #CyberSecurity #cybercrime #Security https://twitter.com/reecdeep/status/1422191780833988616/photo/1", "id": "1422191780833988616", "retweets": 20, "link": "https://twitter.com/reecdeep/status/1422191780833988616", "mentions": [], "hashtags": ["#Vidar", "#Malware", "#infosec", "#CyberSecurity", "#cybercrime", "#Security"], "date": {"$date": 1627911918000}, "timestamp": 1627937118}}, {"reference": ["https://www.virustotal.com/graph/embed/ga5be3c6f0c8c474ba459bdc6b001b1e9d12ed432079045c3b2c8ad07d426a2f2", "https://twitter.com/nahberry/status/1422196688199036929/photo/1", "https://otx.alienvault.com/indicator/file/7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984"], "md5": [], "sha1": [], "sha256": ["7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "nahberry", "tweet": "#BlackMatter #ransomware has emerged \n\nAlienVault\n https://otx.alienvault.com/indicator/file/7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984\n\nVT Graph \n https://www.virustotal.com/graph/embed/ga5be3c6f0c8c474ba459bdc6b001b1e9d12ed432079045c3b2c8ad07d426a2f2 https://twitter.com/nahberry/status/1422196688199036929/photo/1", "id": "1422196688199036929", "retweets": 0, "link": "https://twitter.com/nahberry/status/1422196688199036929", "mentions": [], "hashtags": ["#BlackMatter", "#ransomware"], "date": {"$date": 1627913088000}, "timestamp": 1627938288}}, {"reference": ["https://www.virustotal.com/gui/file/08e9250b055076bf0ba7453c0ca4edbe4887ac76267c02f5989d5c0849577151/detection/f-08e9250b055076bf0ba7453c0ca4edbe4887ac76267c02f5989d5c0849577151-1615463288"], "md5": [], "sha1": [], "sha256": ["08e9250b055076bf0ba7453c0ca4edbe4887ac76267c02f5989d5c0849577151"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 51\nVirusTotal: https://www.virustotal.com/gui/file/08e9250b055076bf0ba7453c0ca4edbe4887ac76267c02f5989d5c0849577151/detection/f-08e9250b055076bf0ba7453c0ca4edbe4887ac76267c02f5989d5c0849577151-1615463288\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422198007676739592", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422198007676739592", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627913402000}, "timestamp": 1627938602}}, {"reference": ["https://www.virustotal.com/gui/file/a2ae0d4f4b36b961fa5b7b5a310125c74d2c23f97601a10518ad97c74b0e7c23/detection/f-a2ae0d4f4b36b961fa5b7b5a310125c74d2c23f97601a10518ad97c74b0e7c23-1593684919"], "md5": [], "sha1": [], "sha256": ["a2ae0d4f4b36b961fa5b7b5a310125c74d2c23f97601a10518ad97c74b0e7c23"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 59\nVirusTotal: https://www.virustotal.com/gui/file/a2ae0d4f4b36b961fa5b7b5a310125c74d2c23f97601a10518ad97c74b0e7c23/detection/f-a2ae0d4f4b36b961fa5b7b5a310125c74d2c23f97601a10518ad97c74b0e7c23-1593684919\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422198010096799747", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422198010096799747", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627913403000}, "timestamp": 1627938603}}, {"reference": ["https://www.virustotal.com/gui/file/941abe738784e5b811fe4d563e6b3f2089cf1ac7a8edb5b138c1d723020c7c78/detection/f-941abe738784e5b811fe4d563e6b3f2089cf1ac7a8edb5b138c1d723020c7c78-1570963397"], "md5": [], "sha1": [], "sha256": ["941abe738784e5b811fe4d563e6b3f2089cf1ac7a8edb5b138c1d723020c7c78"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 57\nVirusTotal: https://www.virustotal.com/gui/file/941abe738784e5b811fe4d563e6b3f2089cf1ac7a8edb5b138c1d723020c7c78/detection/f-941abe738784e5b811fe4d563e6b3f2089cf1ac7a8edb5b138c1d723020c7c78-1570963397\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422198012579880962", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422198012579880962", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627913404000}, "timestamp": 1627938604}}, {"reference": ["https://www.virustotal.com/gui/file/81159f1f7a071a1517662e6813742ee670e3380f1d3d062062503a92e3dc9ebc/detection/f-81159f1f7a071a1517662e6813742ee670e3380f1d3d062062503a92e3dc9ebc-1585562495"], "md5": [], "sha1": [], "sha256": ["81159f1f7a071a1517662e6813742ee670e3380f1d3d062062503a92e3dc9ebc"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 68\nVirusTotal: https://www.virustotal.com/gui/file/81159f1f7a071a1517662e6813742ee670e3380f1d3d062062503a92e3dc9ebc/detection/f-81159f1f7a071a1517662e6813742ee670e3380f1d3d062062503a92e3dc9ebc-1585562495\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422201780927143938", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422201780927143938", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627914302000}, "timestamp": 1627939502}}, {"reference": ["https://labs.inquest.net/dfi/hash/8d98902b1125d3fa1887b6c5fdf24f2884a38054bc87dba5e9ad4c9bbc66e867"], "md5": [], "sha1": [], "sha256": ["02a55e30e4fab381bc930bbcee26d91a7e1f5bc1496cc6ef9bfedd8653476740", "8d98902b1125d3fa1887b6c5fdf24f2884a38054bc87dba5e9ad4c9bbc66e867"], "mail": [], "ip": [], "domain": ["longurl.in"], "url": ["longurl.in/WFDv"], "tweet": {"user": "InQuest", "tweet": "\ud83e\udd16 Malicious RTF document found hosted at:\n\nhttps///longurl.in/WFDv\nSHA256: 02a55e30e4fab381bc930bbcee26d91a7e1f5bc1496cc6ef9bfedd8653476740\n\nIOC extracted from sample: https://labs.inquest.net/dfi/hash/8d98902b1125d3fa1887b6c5fdf24f2884a38054bc87dba5e9ad4c9bbc66e867", "id": "1422203086421078024", "retweets": 3, "link": "https://twitter.com/InQuest/status/1422203086421078024", "mentions": [], "hashtags": [], "date": {"$date": 1627914613000}, "timestamp": 1627939813}}, {"reference": ["https://gist.github.com/silence-is-best/ac1440dcf7aec90a53905ae86559e621", "https://twitter.com/james_inthe_box/status/1422203814786985989/photo/1"], "md5": ["ac1440dcf7aec90a53905ae86559e621"], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "James_inthe_box", "tweet": "A csv formatted list of #malspam #campaigns that crossed my path in July to include subjects. hashes. c2's. and email exfil addresses:\n\n https://gist.github.com/silence-is-best/ac1440dcf7aec90a53905ae86559e621\n\n#retrohunt https://twitter.com/James_inthe_box/status/1422203814786985989/photo/1", "id": "1422203814786985989", "retweets": 11, "link": "https://twitter.com/James_inthe_box/status/1422203814786985989", "mentions": [], "hashtags": ["#malspam", "#campaigns", "#retrohunt"], "date": {"$date": 1627914787000}, "timestamp": 1627939987}}, {"reference": ["https://bazaar.abuse.ch/sample/bd068442713d668c544ed7c9b439e27121b33ac1573b12c95c7ff7ca8003d283/", "https://app.any.run/tasks/f845ad7e-caac-49ee-a8dd-62a6cd57d271"], "md5": [], "sha1": [], "sha256": ["bd068442713d668c544ed7c9b439e27121b33ac1573b12c95c7ff7ca8003d283"], "mail": [], "ip": ["2.56.59.76"], "domain": [], "url": ["http://2.56.59.76/alig.jpg"], "tweet": {"user": "Racco42", "tweet": "ISO certification must come in .iso file. right?\n\"1-ISO certification.iso\" contains .js which get a #guloader from hxxp://2.56.59.76/alig.jpg\n https://app.any.run/tasks/f845ad7e-caac-49ee-a8dd-62a6cd57d271\n https://bazaar.abuse.ch/sample/bd068442713d668c544ed7c9b439e27121b33ac1573b12c95c7ff7ca8003d283/", "id": "1422206952571031553", "retweets": 1, "link": "https://twitter.com/Racco42/status/1422206952571031553", "mentions": [], "hashtags": ["#guloader"], "date": {"$date": 1627915535000}, "timestamp": 1627940735}}, {"reference": ["https://www.virustotal.com/gui/file/5cbaf52d93f9ac1b956221e9769eb7a6583d75544b065d902090ae2dab171066/detection/f-5cbaf52d93f9ac1b956221e9769eb7a6583d75544b065d902090ae2dab171066-1578662387"], "md5": [], "sha1": [], "sha256": ["5cbaf52d93f9ac1b956221e9769eb7a6583d75544b065d902090ae2dab171066"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/5cbaf52d93f9ac1b956221e9769eb7a6583d75544b065d902090ae2dab171066/detection/f-5cbaf52d93f9ac1b956221e9769eb7a6583d75544b065d902090ae2dab171066-1578662387\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422208073238728706", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422208073238728706", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627915802000}, "timestamp": 1627941002}}, {"reference": ["https://www.virustotal.com/gui/file/baf0c41fa27fe01f0b86c978a6af52618ecb500239d414c4e6736e22bae4125e/detection/f-baf0c41fa27fe01f0b86c978a6af52618ecb500239d414c4e6736e22bae4125e-1599109665"], "md5": [], "sha1": [], "sha256": ["baf0c41fa27fe01f0b86c978a6af52618ecb500239d414c4e6736e22bae4125e"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 60\nVirusTotal: https://www.virustotal.com/gui/file/baf0c41fa27fe01f0b86c978a6af52618ecb500239d414c4e6736e22bae4125e/detection/f-baf0c41fa27fe01f0b86c978a6af52618ecb500239d414c4e6736e22bae4125e-1599109665\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422213108030914564", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422213108030914564", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627917003000}, "timestamp": 1627942203}}, {"reference": ["https://app.any.run/tasks/a1da3911-b2ce-4e75-a08c-ad354751c913"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["himarkh.xyz"], "url": ["http://himarkh.xyz"], "tweet": {"user": "Racco42", "tweet": "OK. this is new for me. #malspam with .xll file attachment. which is identified as .dll. but opens in Office 2019 as xls. \nBrings #vidar stealer\nC2: hxxp://himarkh.xyz/\n https://app.any.run/tasks/a1da3911-b2ce-4e75-a08c-ad354751c913", "id": "1422215905422028803", "retweets": 4, "link": "https://twitter.com/Racco42/status/1422215905422028803", "mentions": [], "hashtags": ["#malspam", "#vidar"], "date": {"$date": 1627917670000}, "timestamp": 1627942870}}, {"reference": ["https://www.virustotal.com/gui/file/e2df1c4ce4619d530e80454c6d30f1997f6f4b36f11b491e6143fae4972ec473/detection"], "md5": [], "sha1": [], "sha256": ["e2df1c4ce4619d530e80454c6d30f1997f6f4b36f11b491e6143fae4972ec473"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "cr4shtest", "tweet": "@reecdeep https://www.virustotal.com/gui/file/e2df1c4ce4619d530e80454c6d30f1997f6f4b36f11b491e6143fae4972ec473/detection the jack.dll :)", "id": "1422221883194417152", "retweets": 0, "link": "https://twitter.com/cr4shtest/status/1422221883194417152", "mentions": ["@reecdeep"], "hashtags": [], "date": {"$date": 1627919095000}, "timestamp": 1627944295}}, {"reference": ["https://www.virustotal.com/gui/file/3bd3ed8e773ad072f49c3e4d8141ae64b7eb9c88658212f2b937ade10b581df9/detection/f-3bd3ed8e773ad072f49c3e4d8141ae64b7eb9c88658212f2b937ade10b581df9-1618400687"], "md5": [], "sha1": [], "sha256": ["3bd3ed8e773ad072f49c3e4d8141ae64b7eb9c88658212f2b937ade10b581df9"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 51\nVirusTotal: https://www.virustotal.com/gui/file/3bd3ed8e773ad072f49c3e4d8141ae64b7eb9c88658212f2b937ade10b581df9/detection/f-3bd3ed8e773ad072f49c3e4d8141ae64b7eb9c88658212f2b937ade10b581df9-1618400687\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422224432110739459", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422224432110739459", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627919702000}, "timestamp": 1627944902}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["www.lego.com"], "url": ["https://www.lego.com/en-gb/product/seinfeld-21328"], "tweet": {"user": "James_inthe_box", "tweet": "@noottrak https://www.lego.com/en-gb/product/seinfeld-21328 ;)", "id": "1422226603715661824", "retweets": 0, "link": "https://twitter.com/James_inthe_box/status/1422226603715661824", "mentions": ["@noottrak"], "hashtags": [], "date": {"$date": 1627920220000}, "timestamp": 1627945420}}, {"reference": ["https://www.virustotal.com/graph/embed/g125e2fff16064a00b59bd847da60a92d21a0b849b4a647a3954e1c05e9a3492b/"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["198.12.107.11"], "domain": ["gateway.apple"], "url": [], "tweet": {"user": "dorkingbeauty1", "tweet": "Err HELP!! i think this is quite bad\n198.12.107.11 - gsm/gps - bbc/vbc.exe - gateway.apple-dns - akamai. https://www.virustotal.com/graph/embed/g125e2fff16064a00b59bd847da60a92d21a0b849b4a647a3954e1c05e9a3492b/", "id": "1422229892318605312", "retweets": 2, "link": "https://twitter.com/dorkingbeauty1/status/1422229892318605312", "mentions": [], "hashtags": [], "date": {"$date": 1627921004000}, "timestamp": 1627946204}}, {"reference": ["https://twitter.com/mattifestation/status/1422231897648898051/photo/1", "https://www.virustotal.com/gui/file/7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d/details"], "md5": [], "sha1": [], "sha256": ["7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "mattifestation", "tweet": "Here's the driver I used for reference: https://www.virustotal.com/gui/file/7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d/details\n\nI explicitly allowed this signer w/ a policy in enforcement mode and with \"Enabled:Revoked Expired As Unsigned\" but it wasn't blocked from loading. \ud83e\udd14 Thanks in advance for your insight! https://twitter.com/mattifestation/status/1422231897648898051/photo/1", "id": "1422231897648898051", "retweets": 1, "link": "https://twitter.com/mattifestation/status/1422231897648898051", "mentions": [], "hashtags": [], "date": {"$date": 1627921482000}, "timestamp": 1627946682}}, {"reference": ["https://www.virustotal.com/gui/file/457b31b0e621452def2ac4cc61e3617a3ddc88d97490b15ab47849112226ab74/detection/f-457b31b0e621452def2ac4cc61e3617a3ddc88d97490b15ab47849112226ab74-1609117352"], "md5": [], "sha1": [], "sha256": ["457b31b0e621452def2ac4cc61e3617a3ddc88d97490b15ab47849112226ab74"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 62\nVirusTotal: https://www.virustotal.com/gui/file/457b31b0e621452def2ac4cc61e3617a3ddc88d97490b15ab47849112226ab74/detection/f-457b31b0e621452def2ac4cc61e3617a3ddc88d97490b15ab47849112226ab74-1609117352\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422233238026731524", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422233238026731524", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627921802000}, "timestamp": 1627947002}}, {"reference": ["https://www.virustotal.com/gui/file/2e5e52f5469799ae9de20c0713c54522baa7a580acd845a9ba88e1cba72d7a53/detection"], "md5": [], "sha1": [], "sha256": ["2e5e52f5469799ae9de20c0713c54522baa7a580acd845a9ba88e1cba72d7a53"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "SecureHoney", "tweet": "New malware reported by honeypot:\n \nSHA-256: 2e5e52f5469799ae9de20c0713c54522baa7a580acd845a9ba88e1cba72d7a53\n\nVirusTotal analysis: https://www.virustotal.com/gui/file/2e5e52f5469799ae9de20c0713c54522baa7a580acd845a9ba88e1cba72d7a53/detection\n\n https://SecureHoney.net", "id": "1422233241503911940", "retweets": 0, "link": "https://twitter.com/SecureHoney/status/1422233241503911940", "mentions": [], "hashtags": [], "date": {"$date": 1627921803000}, "timestamp": 1627947003}}, {"reference": ["https://twitter.com/phishunt_io/status/1422241366235570178/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["212.95.142.34"], "domain": ["amazon.t4l66.cn"], "url": ["amazon.t4l66.cn/signin"], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83d\udd17 /amazon.t4l66.cn/signin\n\ud83d\udea9 212.95.142.34\n\u2601 DDOSING-BGP-NETWORK\n\ud83d\udd12 R3 https://twitter.com/phishunt_io/status/1422241366235570178/photo/1", "id": "1422241366235570178", "retweets": 0, "link": "https://twitter.com/phishunt_io/status/1422241366235570178", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1627923740000}, "timestamp": 1627948940}}, {"reference": ["https://twitter.com/james_inthe_box/status/1422244057170911244/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["syse.sysipa.com"], "url": [], "tweet": {"user": "James_inthe_box", "tweet": "@LittleRedBean2 @malwrhunterteam @JAMESWT_MHT c2: syse.sysipa.com https://twitter.com/James_inthe_box/status/1422244057170911244/photo/1", "id": "1422244057170911244", "retweets": 1, "link": "https://twitter.com/James_inthe_box/status/1422244057170911244", "mentions": ["@LittleRedBean2", "@malwrhunterteam", "@JAMESWT_MHT"], "hashtags": [], "date": {"$date": 1627924381000}, "timestamp": 1627949581}}, {"reference": ["https://www.virustotal.com/gui/file/139adce4299a9c657347910061e0966482125c39b240eae5ee8b5b18de22c208"], "md5": [], "sha1": ["c8a4039a4c347e9571ac042c43028f3d7e2b9784"], "sha256": ["139adce4299a9c657347910061e0966482125c39b240eae5ee8b5b18de22c208"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "marc_etienne_", "tweet": "@CraigHRowland Anyhow the answer seems to be c8a4039a4c347e9571ac042c43028f3d7e2b9784: https://www.virustotal.com/gui/file/139adce4299a9c657347910061e0966482125c39b240eae5ee8b5b18de22c208", "id": "1422252065988960258", "retweets": 0, "link": "https://twitter.com/marc_etienne_/status/1422252065988960258", "mentions": ["@CraigHRowland"], "hashtags": [], "date": {"$date": 1627926291000}, "timestamp": 1627951491}}, {"reference": ["https://www.virustotal.com/gui/file/c6023bd67393f064484c53311d0b92b431ba7fc61618be595cb74143b1603076/detection/f-c6023bd67393f064484c53311d0b92b431ba7fc61618be595cb74143b1603076-1539442089"], "md5": [], "sha1": [], "sha256": ["c6023bd67393f064484c53311d0b92b431ba7fc61618be595cb74143b1603076"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 54\nVirusTotal: https://www.virustotal.com/gui/file/c6023bd67393f064484c53311d0b92b431ba7fc61618be595cb74143b1603076/detection/f-c6023bd67393f064484c53311d0b92b431ba7fc61618be595cb74143b1603076-1539442089\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422252111593721861", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422252111593721861", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627926302000}, "timestamp": 1627951502}}, {"reference": ["https://www.virustotal.com/gui/file/743d97c117a7c52da04bc432fa5ed53855eab3a0f7c0f7d795cdf83b51fad1be/detection/f-743d97c117a7c52da04bc432fa5ed53855eab3a0f7c0f7d795cdf83b51fad1be-1626683118"], "md5": [], "sha1": [], "sha256": ["743d97c117a7c52da04bc432fa5ed53855eab3a0f7c0f7d795cdf83b51fad1be"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 62\nVirusTotal: https://www.virustotal.com/gui/file/743d97c117a7c52da04bc432fa5ed53855eab3a0f7c0f7d795cdf83b51fad1be/detection/f-743d97c117a7c52da04bc432fa5ed53855eab3a0f7c0f7d795cdf83b51fad1be-1626683118\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422254632609488904", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422254632609488904", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627926903000}, "timestamp": 1627952103}}, {"reference": ["https://www.virustotal.com/gui/file/d5cfc6cdff2734daa6068fcdafdcc39242472dd4ece68b52bbb9b23f497bec4e/community"], "md5": [], "sha1": [], "sha256": ["d5cfc6cdff2734daa6068fcdafdcc39242472dd4ece68b52bbb9b23f497bec4e"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "tosscoinwitcher", "tweet": "#cybersecurity #infosec @malwrhunterteam @James_inthe_box \n https://www.virustotal.com/gui/file/d5cfc6cdff2734daa6068fcdafdcc39242472dd4ece68b52bbb9b23f497bec4e/community\nThis sample is being submitted to VT by other people now but its coming back clean. Hear me out..\nI got this .JS as a \"contract to sign\" from the mail server of a actual healthcare org.", "id": "1422262670879727616", "retweets": 1, "link": "https://twitter.com/tosscoinwitcher/status/1422262670879727616", "mentions": ["@malwrhunterteam", "@James_inthe_box"], "hashtags": ["#cybersecurity", "#infosec"], "date": {"$date": 1627928819000}, "timestamp": 1627954019}}, {"reference": ["https://www.virustotal.com/gui/file/9e240d5057e0cc7293f5d703f5f65ad95f3283e5916bbac2cfcf652025bc45d3/detection/f-9e240d5057e0cc7293f5d703f5f65ad95f3283e5916bbac2cfcf652025bc45d3-1617410757"], "md5": [], "sha1": [], "sha256": ["9e240d5057e0cc7293f5d703f5f65ad95f3283e5916bbac2cfcf652025bc45d3"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 50\nVirusTotal: https://www.virustotal.com/gui/file/9e240d5057e0cc7293f5d703f5f65ad95f3283e5916bbac2cfcf652025bc45d3/detection/f-9e240d5057e0cc7293f5d703f5f65ad95f3283e5916bbac2cfcf652025bc45d3-1617410757\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422265952260001793", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422265952260001793", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627929602000}, "timestamp": 1627954802}}, {"reference": ["https://www.virustotal.com/gui/file/afc5486f00c13eed546648cbe1ebf5d586c4560b6d47d93900a4fa41bb455ff3/detection"], "md5": [], "sha1": [], "sha256": ["afc5486f00c13eed546648cbe1ebf5d586c4560b6d47d93900a4fa41bb455ff3"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "JesusGenialogic", "tweet": "@oxifrago @RodrIsBack Cuidado con uTorrent:\n https://www.virustotal.com/gui/file/afc5486f00c13eed546648cbe1ebf5d586c4560b6d47d93900a4fa41bb455ff3/detection", "id": "1422270238196969473", "retweets": 0, "link": "https://twitter.com/JesusGenialogic/status/1422270238196969473", "mentions": ["@oxifrago", "@RodrIsBack"], "hashtags": [], "date": {"$date": 1627930623000}, "timestamp": 1627955823}}, {"reference": ["https://www.virustotal.com/gui/file/5a8ec9204b75fba7f758353e89aa336f70c7f2c345a331fbe783a51de35afbcf/detection/f-5a8ec9204b75fba7f758353e89aa336f70c7f2c345a331fbe783a51de35afbcf-1594372810"], "md5": [], "sha1": [], "sha256": ["5a8ec9204b75fba7f758353e89aa336f70c7f2c345a331fbe783a51de35afbcf"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 63\nVirusTotal: https://www.virustotal.com/gui/file/5a8ec9204b75fba7f758353e89aa336f70c7f2c345a331fbe783a51de35afbcf/detection/f-5a8ec9204b75fba7f758353e89aa336f70c7f2c345a331fbe783a51de35afbcf-1594372810\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422277277199609858", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422277277199609858", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627932302000}, "timestamp": 1627957502}}, {"reference": ["https://www.virustotal.com/gui/file/80500c55e8154bcbaeb74752c501579ddaafcbd51618e905258fdc549ddbecfc/detection/f-80500c55e8154bcbaeb74752c501579ddaafcbd51618e905258fdc549ddbecfc-1579181132"], "md5": [], "sha1": [], "sha256": ["80500c55e8154bcbaeb74752c501579ddaafcbd51618e905258fdc549ddbecfc"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 67\nVirusTotal: https://www.virustotal.com/gui/file/80500c55e8154bcbaeb74752c501579ddaafcbd51618e905258fdc549ddbecfc/detection/f-80500c55e8154bcbaeb74752c501579ddaafcbd51618e905258fdc549ddbecfc-1579181132\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422281053323112451", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422281053323112451", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627933202000}, "timestamp": 1627958402}}, {"reference": ["https://cdn.discordapp.com/attachments/865679133765271565/869582001328500776/4mvmssthhq.js", "https://twitter.com/james_inthe_box/status/1422284259344060418/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["donstop.conferencesystems.online"], "url": ["http://donstop.conferencesystems.online"], "tweet": {"user": "James_inthe_box", "tweet": "@tosscoinwitcher Pretty cool #stealer.sends screenshots as well to:\n\n http://donstop.conferencesystems.online:14402/\n\ndrops an updated version of itself from:\n\n https://cdn.discordapp.com/attachments/865679133765271565/869582001328500776/4MVmSStHhq.js https://twitter.com/James_inthe_box/status/1422284259344060418/photo/1", "id": "1422284259344060418", "retweets": 0, "link": "https://twitter.com/James_inthe_box/status/1422284259344060418", "mentions": ["@tosscoinwitcher"], "hashtags": ["#stealer"], "date": {"$date": 1627933966000}, "timestamp": 1627959166}}, {"reference": ["https://bazaar.abuse.ch/sample/5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38", "https://twitter.com/teamdreier/status/1422285545401630732/photo/1"], "md5": [], "sha1": [], "sha256": ["5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38"], "mail": [], "ip": [], "domain": ["bit.ly"], "url": ["https://bit.ly/3A7r3iv"], "tweet": {"user": "TeamDreier", "tweet": "#malspam #trickbot\nE-mail -> Adobe Acrobat layout -> link point to attachment zip with JS - VT Score 4/68\nJS Malware Bazaar https://bit.ly/3A7r3iv\n https://bazaar.abuse.ch/sample/5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38 https://twitter.com/TeamDreier/status/1422285545401630732/photo/1", "id": "1422285545401630732", "retweets": 6, "link": "https://twitter.com/TeamDreier/status/1422285545401630732", "mentions": [], "hashtags": ["#malspam", "#trickbot"], "date": {"$date": 1627934273000}, "timestamp": 1627959473}}, {"reference": ["https://www.virustotal.com/gui/file/1ff984eaeb0568f63393058bc7e84f48794e59d5927deee98bc45f1442d069ae/detection/f-1ff984eaeb0568f63393058bc7e84f48794e59d5927deee98bc45f1442d069ae-1613886498"], "md5": [], "sha1": [], "sha256": ["1ff984eaeb0568f63393058bc7e84f48794e59d5927deee98bc45f1442d069ae"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 61\nVirusTotal: https://www.virustotal.com/gui/file/1ff984eaeb0568f63393058bc7e84f48794e59d5927deee98bc45f1442d069ae/detection/f-1ff984eaeb0568f63393058bc7e84f48794e59d5927deee98bc45f1442d069ae-1613886498\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422289863739576322", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422289863739576322", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627935303000}, "timestamp": 1627960503}}, {"reference": ["https://docs.zohopublic.com/downloaddocument.do?docid="], "md5": [], "sha1": [], "sha256": ["9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad"], "mail": [], "ip": [], "domain": ["docs.zohopublic.com"], "url": ["https://docs.zohopublic.com/downloaddocument.do?docId"], "tweet": {"user": "James_inthe_box", "tweet": "@TeamDreier rob118 on the gtag. dll is hosted at:\n\n https://docs.zohopublic.com/downloaddocument.do?docId= fbd8wa888a1470fe64d94a075371eda2570cd&docExtn= jpg\n\ndll hash:\n9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad\n\ncc @ZohoCares", "id": "1422296926590930969", "retweets": 1, "link": "https://twitter.com/James_inthe_box/status/1422296926590930969", "mentions": ["@TeamDreier", "@ZohoCares"], "hashtags": [], "date": {"$date": 1627936986000}, "timestamp": 1627962186}}, {"reference": ["https://twitter.com/phishunt_io/status/1422301858400542727/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["199.188.205.245"], "domain": ["santander.uk.validate-paired-device.info"], "url": ["santander.uk.validate-paired-device.info/Login.php"], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83d\udd17 /santander.uk.validate-paired-device.info/Login.php\n\ud83d\udea9 199.188.205.245\n\u2601 NAMECHEAP-NET\n\ud83d\udd12 Sectigo RSA Domain Validation Secure Server CA https://twitter.com/phishunt_io/status/1422301858400542727/photo/1", "id": "1422301858400542727", "retweets": 0, "link": "https://twitter.com/phishunt_io/status/1422301858400542727", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1627938162000}, "timestamp": 1627963362}}, {"reference": ["https://www.virustotal.com/gui/file/4f725ba9635e12ab228637670a8513e421250e650792d6df900149b39b40e2f5/detection/f-4f725ba9635e12ab228637670a8513e421250e650792d6df900149b39b40e2f5-1615622871"], "md5": [], "sha1": [], "sha256": ["4f725ba9635e12ab228637670a8513e421250e650792d6df900149b39b40e2f5"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 60\nVirusTotal: https://www.virustotal.com/gui/file/4f725ba9635e12ab228637670a8513e421250e650792d6df900149b39b40e2f5/detection/f-4f725ba9635e12ab228637670a8513e421250e650792d6df900149b39b40e2f5-1615622871\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422302444369981442", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422302444369981442", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627938302000}, "timestamp": 1627963502}}, {"reference": ["https://www.virustotal.com/gui/file/d0b7192eb25a342730cd83eb715257c781e71a22f83a0eb9c7c50e231eee3693/detection/f-d0b7192eb25a342730cd83eb715257c781e71a22f83a0eb9c7c50e231eee3693-1595381027"], "md5": [], "sha1": [], "sha256": ["d0b7192eb25a342730cd83eb715257c781e71a22f83a0eb9c7c50e231eee3693"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/d0b7192eb25a342730cd83eb715257c781e71a22f83a0eb9c7c50e231eee3693/detection/f-d0b7192eb25a342730cd83eb715257c781e71a22f83a0eb9c7c50e231eee3693-1595381027\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422306220178919433", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422306220178919433", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627939202000}, "timestamp": 1627964402}}, {"reference": ["https://www.virustotal.com/gui/file/44ddd1d026b015cf0aabe09c9d5e1f4710996dc28943fc03242edb3c3492d872/detection/f-44ddd1d026b015cf0aabe09c9d5e1f4710996dc28943fc03242edb3c3492d872-1619083697"], "md5": [], "sha1": [], "sha256": ["44ddd1d026b015cf0aabe09c9d5e1f4710996dc28943fc03242edb3c3492d872"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 58\nVirusTotal: https://www.virustotal.com/gui/file/44ddd1d026b015cf0aabe09c9d5e1f4710996dc28943fc03242edb3c3492d872/detection/f-44ddd1d026b015cf0aabe09c9d5e1f4710996dc28943fc03242edb3c3492d872-1619083697\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422309992347185156", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422309992347185156", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627940102000}, "timestamp": 1627965302}}, {"reference": ["https://ia601506.us.archive.org/27/items/bypass_202108/bypass.txt", "https://app.any.run/tasks/e6840e79-5b00-415a-bac5-462678dadb0c/", "https://ia601506.us.archive.org/34/items/der_20210802/"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["13.77.222.211"], "domain": [], "url": ["https://13.77.222.211"], "tweet": {"user": "nas_bench", "tweet": "Interesting #malware sample hosting malware on http://archive.org \n https://app.any.run/tasks/e6840e79-5b00-415a-bac5-462678dadb0c/\nDER.txt: https://ia601506.us.archive.org/34/items/der_20210802/\nbypass.txt: https://ia601506.us.archive.org/27/items/bypass_202108/bypass.txt\nMalware drops 6 executables one of which leading to: hxxps://13.77.222.211 that is hosting #rackspace", "id": "1422313233885679618", "retweets": 2, "link": "https://twitter.com/nas_bench/status/1422313233885679618", "mentions": [], "hashtags": ["#malware", "#rackspace"], "date": {"$date": 1627940874000}, "timestamp": 1627966074}}, {"reference": ["https://www.virustotal.com/gui/file/deb0ae51b98b1b7c6069935011c8489d71a5c2922dd401a1ee624bc33a8f5dd8/detection/f-deb0ae51b98b1b7c6069935011c8489d71a5c2922dd401a1ee624bc33a8f5dd8-1588292212"], "md5": [], "sha1": [], "sha256": ["deb0ae51b98b1b7c6069935011c8489d71a5c2922dd401a1ee624bc33a8f5dd8"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 65\nVirusTotal: https://www.virustotal.com/gui/file/deb0ae51b98b1b7c6069935011c8489d71a5c2922dd401a1ee624bc33a8f5dd8/detection/f-deb0ae51b98b1b7c6069935011c8489d71a5c2922dd401a1ee624bc33a8f5dd8-1588292212\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422317542094348289", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422317542094348289", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627941902000}, "timestamp": 1627967102}}, {"reference": ["https://app.any.run/tasks/33ed2642-b879-4507-a0c2-66136fde62ae"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["103.167.91.9", "13.77.222.211", "20.194.35.6"], "domain": [], "url": ["13.77.222.211:7827", "20.194.35.6:7904", "http://103.167.91.9:7825/Vre"], "tweet": {"user": "Racco42", "tweet": "#malspam \"Invoice#1XGYOUD62OP\" with .iso\nattachment containing .js and .vbs\n\n.js is #vjw0rm with C2\nhxxp://103.167.91.9:7825/Vre\n\n.vbs is hiding at least 2 RATs: #njrat and #bitrat\n https://app.any.run/tasks/33ed2642-b879-4507-a0c2-66136fde62ae\nC2s: \n13.77.222.211:7827\n20.194.35.6:7904", "id": "1422325067577495552", "retweets": 2, "link": "https://twitter.com/Racco42/status/1422325067577495552", "mentions": [], "hashtags": ["#malspam", "#1XGYOUD62OP", "#vjw0rm", "#njrat", "#bitrat"], "date": {"$date": 1627943696000}, "timestamp": 1627968896}}, {"reference": ["https://twitter.com/bad_packets/status/1422330585482108935/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["185.207.249.28"], "domain": [], "url": [], "tweet": {"user": "bad_packets", "tweet": "Mass scanning activity detected from 185.207.249.28 (\ud83c\uddfa\ud83c\uddf8) targeting Fortinet VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2018-13379) leading to disclosure of usernames and passwords in plaintext.\n\nPorts targeted:\n6984/tcp\n7443/tcp\n50880/tcp\n #threatintel https://twitter.com/bad_packets/status/1422330585482108935/photo/1", "id": "1422330585482108935", "retweets": 19, "link": "https://twitter.com/bad_packets/status/1422330585482108935", "mentions": [], "hashtags": ["#threatintel"], "date": {"$date": 1627945011000}, "timestamp": 1627970211}}, {"reference": ["https://www.virustotal.com/gui/file/7adafdeb26df4b7bcf048da8777c78b9e776e34736d983fa2858d7f8629b7004/detection/f-7adafdeb26df4b7bcf048da8777c78b9e776e34736d983fa2858d7f8629b7004-1620718818"], "md5": [], "sha1": [], "sha256": ["7adafdeb26df4b7bcf048da8777c78b9e776e34736d983fa2858d7f8629b7004"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 57\nVirusTotal: https://www.virustotal.com/gui/file/7adafdeb26df4b7bcf048da8777c78b9e776e34736d983fa2858d7f8629b7004/detection/f-7adafdeb26df4b7bcf048da8777c78b9e776e34736d983fa2858d7f8629b7004-1620718818\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422331383700205568", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422331383700205568", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627945202000}, "timestamp": 1627970402}}, {"reference": ["https://vx-underground.org/tmp/", "https://www.virustotal.com/gui/file/18e4bd2378a0e70fd1234796de4156da51c0e264c3b410de5d8367cc70e03b66/detection"], "md5": [], "sha1": [], "sha256": ["18e4bd2378a0e70fd1234796de4156da51c0e264c3b410de5d8367cc70e03b66"], "mail": [], "ip": [], "domain": ["vx-underground.org"], "url": ["https://vx-underground.org/tmp"], "tweet": {"user": "vxunderground", "tweet": "If you'd like to download the malware they tried to spearphish us with. you can download it here: \n\n https://vx-underground.org/tmp/\n\n* Link modified to conform with Twitters ban on our domains\n* Daisy20\n* No password\n\nMore info: https://www.virustotal.com/gui/file/18e4bd2378a0e70fd1234796de4156da51c0e264c3b410de5d8367cc70e03b66/detection", "id": "1422337113903845384", "retweets": 8, "link": "https://twitter.com/vxunderground/status/1422337113903845384", "mentions": [], "hashtags": [], "date": {"$date": 1627946568000}, "timestamp": 1627971768}}, {"reference": ["https://www.virustotal.com/gui/file/8184a1346f25a281932f598fb19dc5840249cd9bfd933654941dc7bcf59af22e/detection/f-8184a1346f25a281932f598fb19dc5840249cd9bfd933654941dc7bcf59af22e-1598024284"], "md5": ["4a5d4a82c5c9f8afd605f7d95e417a52"], "sha1": ["bc63a483045a18a60c8fe7a01a07adfb322ff453"], "sha256": ["8184a1346f25a281932f598fb19dc5840249cd9bfd933654941dc7bcf59af22e"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 62\nVirusTotal: https://www.virustotal.com/gui/file/8184a1346f25a281932f598fb19dc5840249cd9bfd933654941dc7bcf59af22e/detection/f-8184a1346f25a281932f598fb19dc5840249cd9bfd933654941dc7bcf59af22e-1598024284\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1422337675026120705", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1422337675026120705", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1627946702000}, "timestamp": 1627971902}}]