[{"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/EcKQUuGU"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 2 IOC update\n https://pastebin.com/EcKQUuGU", "id": "1319793324031660032", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319793324031660032", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603498223000}, "timestamp": 1603491023}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/ZJtSX3Wx"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 1 IOC update\n https://pastebin.com/ZJtSX3Wx", "id": "1319793346412511232", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319793346412511232", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603498229000}, "timestamp": 1603491029}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/7MgiJcf5"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 3 IOC update\n https://pastebin.com/7MgiJcf5", "id": "1319794078574403584", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319794078574403584", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603498403000}, "timestamp": 1603491203}}, {"reference": ["https://www.pastery.net/tnfyfc/"], "md5": [], "sha1": [], "sha256": ["91d0ed4245e79845b26ee8c76fed33feef18732ce53c4ed2b09ce63635845611", "536e60a97847352c0f4cd76965f2461f858b049c32759b0b92df795172c7510b"], "mail": [], "ip": [], "domain": ["www.pastery.net", "www.tuchong.com", "v.autohome.com.cn", "ithelper.paic.com.cn"], "url": ["ithelper.paic.com.cn/_layouts/Wopi/people.ico", "https://www.pastery.net/tnfyfc"], "tweet": {"user": "h2jazi", "tweet": "Maldocs:\n91d0ed4245e79845b26ee8c76fed33feef18732ce53c4ed2b09ce63635845611\n536e60a97847352c0f4cd76965f2461f858b049c32759b0b92df795172c7510b\n\nMashta: https://www.pastery.net/tnfyfc/\nC2s:\nithelper.paic.com.cn/_layouts/Wopi/people.ico\nwww.tuchong.com\nv.autohome.com.cn", "id": "1319797607389143041", "retweets": 1, "link": "https://twitter.com/h2jazi/status/1319797607389143041", "mentions": [], "hashtags": [], "date": {"$date": 1603499244000}, "timestamp": 1603492044}}, {"reference": ["https://www.virustotal.com/gui/file/ede43c0ed6b86bb31e1332860767412109f21f5a7d9265d00c4e5f3ac3709e4d/detection/f-ede43c0ed6b86bb31e1332860767412109f21f5a7d9265d00c4e5f3ac3709e4d-1573023528"], "md5": [], "sha1": [], "sha256": ["ede43c0ed6b86bb31e1332860767412109f21f5a7d9265d00c4e5f3ac3709e4d"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 61\nVirusTotal: https://www.virustotal.com/gui/file/ede43c0ed6b86bb31e1332860767412109f21f5a7d9265d00c4e5f3ac3709e4d/detection/f-ede43c0ed6b86bb31e1332860767412109f21f5a7d9265d00c4e5f3ac3709e4d-1573023528\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319800786210217986", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319800786210217986", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603500002000}, "timestamp": 1603492802}}, {"reference": ["https://www.virustotal.com/gui/file/82be7312055ea06867784fd3fa9483133f6ae2abb0a16903c701283646ac7eab/detection/f-82be7312055ea06867784fd3fa9483133f6ae2abb0a16903c701283646ac7eab-1602502944"], "md5": [], "sha1": [], "sha256": ["82be7312055ea06867784fd3fa9483133f6ae2abb0a16903c701283646ac7eab"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 59\nVirusTotal: https://www.virustotal.com/gui/file/82be7312055ea06867784fd3fa9483133f6ae2abb0a16903c701283646ac7eab/detection/f-82be7312055ea06867784fd3fa9483133f6ae2abb0a16903c701283646ac7eab-1602502944\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319812110080200704", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319812110080200704", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603502702000}, "timestamp": 1603495502}}, {"reference": ["https://www.virustotal.com/gui/file/602d4c0e53415a4e84a7bdaba011cb0fdf5b2f7177fd4d4a8ae74b3060650db9/detection"], "md5": [], "sha1": [], "sha256": ["602d4c0e53415a4e84a7bdaba011cb0fdf5b2f7177fd4d4a8ae74b3060650db9"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "nekomimimaiden", "tweet": "\u30a6\u30a4\u30eb\u30b9\u30c8\u30fc\u30bf\u30eb\u306e\u30b9\u30ad\u30e3\u30f3\u7d50\u679c\u8cbc\u308b\u306e\u5fd8\u308c\u3066\u305f\u3002\n\u3053\u308c\uff1a https://www.virustotal.com/gui/file/602d4c0e53415a4e84a7bdaba011cb0fdf5b2f7177fd4d4a8ae74b3060650db9/detection\n\u306a\uff1f\u5371\u967a\u3067\u3057\u3087\uff1f", "id": "1319821492373221377", "retweets": 0, "link": "https://twitter.com/nekomimimaiden/status/1319821492373221377", "mentions": [], "hashtags": [], "date": {"$date": 1603504939000}, "timestamp": 1603497739}}, {"reference": ["https://www.virustotal.com/gui/file/f8fd25d47f1ad6431ff8a218d4d8cd5ffe68aae9e0fe91e2274b94a8404adb23/detection/f-f8fd25d47f1ad6431ff8a218d4d8cd5ffe68aae9e0fe91e2274b94a8404adb23-1585412489"], "md5": [], "sha1": [], "sha256": ["f8fd25d47f1ad6431ff8a218d4d8cd5ffe68aae9e0fe91e2274b94a8404adb23"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/f8fd25d47f1ad6431ff8a218d4d8cd5ffe68aae9e0fe91e2274b94a8404adb23/detection/f-f8fd25d47f1ad6431ff8a218d4d8cd5ffe68aae9e0fe91e2274b94a8404adb23-1585412489\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319825953363795968", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319825953363795968", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603506003000}, "timestamp": 1603498803}}, {"reference": ["https://www.virustotal.com/gui/file/4e893876abd2a3675120720aa8cab4f75a0c06ea0b1fb4cfe8cc95af8584dee3/detection/f-4e893876abd2a3675120720aa8cab4f75a0c06ea0b1fb4cfe8cc95af8584dee3-1569232519"], "md5": [], "sha1": [], "sha256": ["4e893876abd2a3675120720aa8cab4f75a0c06ea0b1fb4cfe8cc95af8584dee3"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 60\nVirusTotal: https://www.virustotal.com/gui/file/4e893876abd2a3675120720aa8cab4f75a0c06ea0b1fb4cfe8cc95af8584dee3/detection/f-4e893876abd2a3675120720aa8cab4f75a0c06ea0b1fb4cfe8cc95af8584dee3-1569232519\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319828469128269824", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319828469128269824", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603506602000}, "timestamp": 1603499402}}, {"reference": ["https://www.virustotal.com/gui/file/9df45aa86c06667117c77d0569c414351bf4dd9e42dbcc5c33d5f92046a8c0e3/detection/f-9df45aa86c06667117c77d0569c414351bf4dd9e42dbcc5c33d5f92046a8c0e3-1562572843"], "md5": [], "sha1": [], "sha256": ["9df45aa86c06667117c77d0569c414351bf4dd9e42dbcc5c33d5f92046a8c0e3"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 47\nVirusTotal: https://www.virustotal.com/gui/file/9df45aa86c06667117c77d0569c414351bf4dd9e42dbcc5c33d5f92046a8c0e3/detection/f-9df45aa86c06667117c77d0569c414351bf4dd9e42dbcc5c33d5f92046a8c0e3-1562572843\nThreat: Ransom:Win32/CVE-2017-0147.A (Microsoft)", "id": "1319828471300882438", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319828471300882438", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603506603000}, "timestamp": 1603499403}}, {"reference": ["https://www.virustotal.com/gui/file/f3e63de1eb5aaa7c8176b68421e2ccac5196c49f049f96a607d9a64616c147d8/detection/f-f3e63de1eb5aaa7c8176b68421e2ccac5196c49f049f96a607d9a64616c147d8-1543209155"], "md5": [], "sha1": [], "sha256": ["f3e63de1eb5aaa7c8176b68421e2ccac5196c49f049f96a607d9a64616c147d8"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 57\nVirusTotal: https://www.virustotal.com/gui/file/f3e63de1eb5aaa7c8176b68421e2ccac5196c49f049f96a607d9a64616c147d8/detection/f-f3e63de1eb5aaa7c8176b68421e2ccac5196c49f049f96a607d9a64616c147d8-1543209155\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319841051717357569", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319841051717357569", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603509602000}, "timestamp": 1603502402}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/8C5Pbt3i"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 2 IOC update\n https://pastebin.com/8C5Pbt3i", "id": "1319853630925737984", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319853630925737984", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603512601000}, "timestamp": 1603505401}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/mssmCsxX"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 1 IOC update\n https://pastebin.com/mssmCsxX", "id": "1319853777214705664", "retweets": 1, "link": "https://twitter.com/Cryptolaemus1/status/1319853777214705664", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603512636000}, "timestamp": 1603505436}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/nn7ZYJUK"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 3 IOC update\n https://pastebin.com/nn7ZYJUK", "id": "1319854621582610432", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319854621582610432", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603512838000}, "timestamp": 1603505638}}, {"reference": ["https://www.virustotal.com/gui/file/5e92ec541eae5178803d6f58a71867fd11cb0187481c1efd73b7830a0e7eb6ab/detection/f-5e92ec541eae5178803d6f58a71867fd11cb0187481c1efd73b7830a0e7eb6ab-1581643524"], "md5": [], "sha1": [], "sha256": ["5e92ec541eae5178803d6f58a71867fd11cb0187481c1efd73b7830a0e7eb6ab"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 66\nVirusTotal: https://www.virustotal.com/gui/file/5e92ec541eae5178803d6f58a71867fd11cb0187481c1efd73b7830a0e7eb6ab/detection/f-5e92ec541eae5178803d6f58a71867fd11cb0187481c1efd73b7830a0e7eb6ab-1581643524\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319861181549580288", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319861181549580288", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603514402000}, "timestamp": 1603507202}}, {"reference": ["https://www.virustotal.com/gui/file/bccf65c40db569d8ca72a23003d794ab0716507dc5b53f012c7c9b3a1f05a84d/detection/f-bccf65c40db569d8ca72a23003d794ab0716507dc5b53f012c7c9b3a1f05a84d-1601429514"], "md5": [], "sha1": [], "sha256": ["bccf65c40db569d8ca72a23003d794ab0716507dc5b53f012c7c9b3a1f05a84d"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 63\nVirusTotal: https://www.virustotal.com/gui/file/bccf65c40db569d8ca72a23003d794ab0716507dc5b53f012c7c9b3a1f05a84d/detection/f-bccf65c40db569d8ca72a23003d794ab0716507dc5b53f012c7c9b3a1f05a84d-1601429514\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319873766441234433", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319873766441234433", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603517402000}, "timestamp": 1603510202}}, {"reference": ["https://twitter.com/abuse_ch/status/1319893780166856705/photo/1", "https://bazaar.abuse.ch/sample/272602c23c69ff189ba778eff6a03cfa3a76e01423103abcdf54afe5d1c52b6d/"], "md5": [], "sha1": [], "sha256": ["272602c23c69ff189ba778eff6a03cfa3a76e01423103abcdf54afe5d1c52b6d"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "abuse_ch", "tweet": "More TrickBot malspam (ono95) hitting the US \ud83c\uddfa\ud83c\uddf8\n\n\u2705 Weaponized word document \ud83d\udcc4\n\u2705 No payload URLs \u261d\ufe0f\n\u2705 7 out of 12 TrickBot C2s are ACTIVE \ud83d\udea8\n\u2705 ZERO AV detection according to VT (0/60) \ud83e\udd2f\n\nWord document:\n\ud83d\udc49 https://bazaar.abuse.ch/sample/272602c23c69ff189ba778eff6a03cfa3a76e01423103abcdf54afe5d1c52b6d/ https://twitter.com/abuse_ch/status/1319893780166856705/photo/1", "id": "1319893780166856705", "retweets": 20, "link": "https://twitter.com/abuse_ch/status/1319893780166856705", "mentions": [], "hashtags": [], "date": {"$date": 1603522174000}, "timestamp": 1603514974}}, {"reference": ["https://bazaar.abuse.ch/sample/4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9/"], "md5": [], "sha1": [], "sha256": ["4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "JAMESWT_MHT", "tweet": "@abuse_ch and related #Trickbot payload from mentioned DOC\n https://bazaar.abuse.ch/sample/4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9/\ncc @malwrhunterteam @James_inthe_box @Arkbird_SOLG @sugimu_sec @VK_Intel", "id": "1319901235521138689", "retweets": 1, "link": "https://twitter.com/JAMESWT_MHT/status/1319901235521138689", "mentions": ["@abuse_ch", "@malwrhunterteam", "@James_inthe_box", "@Arkbird_SOLG", "@sugimu_sec", "@VK_Intel"], "hashtags": ["#Trickbot"], "date": {"$date": 1603523951000}, "timestamp": 1603516751}}, {"reference": ["https://www.virustotal.com/gui/file/87e4300925248be335da6fa90e8eea072fcd1dcee7ce91ab199f380607d562e7/detection/f-87e4300925248be335da6fa90e8eea072fcd1dcee7ce91ab199f380607d562e7-1603427621"], "md5": [], "sha1": [], "sha256": ["87e4300925248be335da6fa90e8eea072fcd1dcee7ce91ab199f380607d562e7"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 60\nVirusTotal: https://www.virustotal.com/gui/file/87e4300925248be335da6fa90e8eea072fcd1dcee7ce91ab199f380607d562e7/detection/f-87e4300925248be335da6fa90e8eea072fcd1dcee7ce91ab199f380607d562e7-1603427621\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319906480615792641", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319906480615792641", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603525202000}, "timestamp": 1603518002}}, {"reference": ["https://www.virustotal.com/gui/file/55bf44e4cf6da43c82d2042f6bccd9e2f927ae405cf78b06b4720a61a4889325/detection/f-55bf44e4cf6da43c82d2042f6bccd9e2f927ae405cf78b06b4720a61a4889325-1598062623"], "md5": [], "sha1": [], "sha256": ["55bf44e4cf6da43c82d2042f6bccd9e2f927ae405cf78b06b4720a61a4889325"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 61\nVirusTotal: https://www.virustotal.com/gui/file/55bf44e4cf6da43c82d2042f6bccd9e2f927ae405cf78b06b4720a61a4889325/detection/f-55bf44e4cf6da43c82d2042f6bccd9e2f927ae405cf78b06b4720a61a4889325-1598062623\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319907741113221121", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319907741113221121", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603525502000}, "timestamp": 1603518302}}, {"reference": ["https://www.virustotal.com/gui/domain/www.tennesseesouthernlending.com"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["www.tennesseesouthernlending.com"], "url": [], "tweet": {"user": "Certego_Intel", "tweet": "#Covid19 #Spam #Suspicious\nDomain: www.tennesseesouthernlending.com\nVirusTotal: https://www.virustotal.com/gui/domain/www.tennesseesouthernlending.com\n#CyberSecurity #ThreatIntel (bot generated)", "id": "1319910708436520960", "retweets": 0, "link": "https://twitter.com/Certego_Intel/status/1319910708436520960", "mentions": [], "hashtags": ["#Covid19", "#Spam", "#Suspicious", "#CyberSecurity", "#ThreatIntel"], "date": {"$date": 1603526210000}, "timestamp": 1603519010}}, {"reference": ["https://www.virustotal.com/gui/domain/coronavirusupdates.bowerypresents.com"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["coronavirusupdates.bowerypresents.com"], "url": [], "tweet": {"user": "Certego_Intel", "tweet": "#Covid19 #CertStream #Suspicious\nDomain: coronavirusupdates.bowerypresents.com\nVirusTotal: https://www.virustotal.com/gui/domain/coronavirusupdates.bowerypresents.com\n#CyberSecurity #ThreatIntel (bot generated)", "id": "1319910713331273729", "retweets": 0, "link": "https://twitter.com/Certego_Intel/status/1319910713331273729", "mentions": [], "hashtags": ["#Covid19", "#CertStream", "#Suspicious", "#CyberSecurity", "#ThreatIntel"], "date": {"$date": 1603526211000}, "timestamp": 1603519011}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/hC8BadDB"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 2 IOC update\n https://pastebin.com/hC8BadDB", "id": "1319913943050010624", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319913943050010624", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603526981000}, "timestamp": 1603519781}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/pkLzt2v7"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 1 IOC update\n https://pastebin.com/pkLzt2v7", "id": "1319914071785877505", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319914071785877505", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603527012000}, "timestamp": 1603519812}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/BLsY1aDT"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 3 IOC update\n https://pastebin.com/BLsY1aDT", "id": "1319914884990160897", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319914884990160897", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603527206000}, "timestamp": 1603520006}}, {"reference": ["https://www.virustotal.com/gui/file/05dba3e8c8668d982573e4dd3f3b0dec430427c4f7990f5a9e8d1e6c9ea7ce56/detection/f-05dba3e8c8668d982573e4dd3f3b0dec430427c4f7990f5a9e8d1e6c9ea7ce56-1563949832"], "md5": [], "sha1": [], "sha256": ["05dba3e8c8668d982573e4dd3f3b0dec430427c4f7990f5a9e8d1e6c9ea7ce56"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 59\nVirusTotal: https://www.virustotal.com/gui/file/05dba3e8c8668d982573e4dd3f3b0dec430427c4f7990f5a9e8d1e6c9ea7ce56/detection/f-05dba3e8c8668d982573e4dd3f3b0dec430427c4f7990f5a9e8d1e6c9ea7ce56-1563949832\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319915288918396928", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319915288918396928", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603527302000}, "timestamp": 1603520102}}, {"reference": ["https://www.virustotal.com/gui/file/26199d8ee0cc73f6d28a6fb70e2bd5286a5d06959f76c0c744c2a23f1b986f8c/detection"], "md5": [], "sha1": [], "sha256": ["26199d8ee0cc73f6d28a6fb70e2bd5286a5d06959f76c0c744c2a23f1b986f8c"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "GossiTheDog", "tweet": "They did some changes to their SocGholish loader recently. here\u2019s an example for AV engines https://www.virustotal.com/gui/file/26199d8ee0cc73f6d28a6fb70e2bd5286a5d06959f76c0c744c2a23f1b986f8c/detection", "id": "1319924914841899008", "retweets": 0, "link": "https://twitter.com/GossiTheDog/status/1319924914841899008", "mentions": [], "hashtags": [], "date": {"$date": 1603529597000}, "timestamp": 1603522397}}, {"reference": ["https://pulsedive.com/explore/?q="], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pulsedive.com"], "url": ["https://pulsedive.com/explore/?q"], "tweet": {"user": "netbroom", "tweet": "@abuse_ch @SendGrid They don't publish but I just did a search in @pulsedive. looks like we have over 200 IPs that came in on blocklists: https://pulsedive.com/explore/?q= JTdCJTIydHlwZSUyMiUzQSU1QiUyMmFsbCUyMiU1RCUyQyUyMnJpc2slMjIlM0ElNUIlMjJhbGwlMjIlNUQlMkMlMjJyZXRpcmVkJTIyJTNBJTIyZmFsc2UlMjIlMkMlMjJwcm9wZXJ0eSUyMiUzQSU1QiU3QiUyMmtleSUyMiUzQSUyMnByb3BlcnR5JTIyJTJDJTIydHlwZSUyMiUzQSUyMmdlbyUyMiUyQyUyMnZhbHVlJTIyJTNBJTIyU0VOREdSSUQlMjIlMkMlMjJuYW1lJTIyJTNBJTIyaXNwJTIyJTdEJTVEJTJDJTIybGltaXQlMjIlM0ElMjJ0aG91c2FuZCUyMiUyQyUyMmxhc3RzZWVuJTIyJTNBJTIyYWxsJTIyJTJDJTIyc2VhcmNoJTIyJTNBJTIyaW5kaWNhdG9ycyUyMiU3RA= = #indicators", "id": "1319926623404236806", "retweets": 0, "link": "https://twitter.com/netbroom/status/1319926623404236806", "mentions": ["@abuse_ch", "@SendGrid", "@pulsedive"], "hashtags": ["#indicators"], "date": {"$date": 1603530004000}, "timestamp": 1603522804}}, {"reference": ["https://www.virustotal.com/gui/file/1998850290d2d17e5537610fdd074fce3027e0999a06bc7f2d9c2ee9170773eb/detection"], "md5": [], "sha1": [], "sha256": ["1998850290d2d17e5537610fdd074fce3027e0999a06bc7f2d9c2ee9170773eb"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "500mk500", "tweet": "@malwrhunterteam @bl4ckh0l3z Also related sample: https://www.virustotal.com/gui/file/1998850290d2d17e5537610fdd074fce3027e0999a06bc7f2d9c2ee9170773eb/detection", "id": "1319929914901041152", "retweets": 0, "link": "https://twitter.com/500mk500/status/1319929914901041152", "mentions": ["@malwrhunterteam", "@bl4ckh0l3z"], "hashtags": [], "date": {"$date": 1603530789000}, "timestamp": 1603523589}}, {"reference": ["https://www.virustotal.com/gui/file/2dd2b11cfd27de1dc8eec7f584fd8eada9130f360ec35435a4310c3884202296/detection/f-2dd2b11cfd27de1dc8eec7f584fd8eada9130f360ec35435a4310c3884202296-1585412498"], "md5": [], "sha1": [], "sha256": ["2dd2b11cfd27de1dc8eec7f584fd8eada9130f360ec35435a4310c3884202296"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 66\nVirusTotal: https://www.virustotal.com/gui/file/2dd2b11cfd27de1dc8eec7f584fd8eada9130f360ec35435a4310c3884202296/detection/f-2dd2b11cfd27de1dc8eec7f584fd8eada9130f360ec35435a4310c3884202296-1585412498\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319930388047867905", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319930388047867905", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603530902000}, "timestamp": 1603523702}}, {"reference": ["https://bazaar.abuse.ch/sample/30d0c917e8ddfc0a698133c3a96135e25c3957913096d252a31b91ea89adc671/", "https://bazaar.abuse.ch/sample/4a25856a07811127b8f1b492abc00f953572f0c6bee4e5c1056c0af93528ca68/", "https://bazaar.abuse.ch/sample/b4f20bb869575d8b20aaf614f422f6a889ed24d9a6031564235ff3f7a7a97bdc", "https://twitter.com/jameswt_mht/status/1319932531039404032/photo/1"], "md5": [], "sha1": [], "sha256": ["30d0c917e8ddfc0a698133c3a96135e25c3957913096d252a31b91ea89adc671", "4a25856a07811127b8f1b492abc00f953572f0c6bee4e5c1056c0af93528ca68", "b4f20bb869575d8b20aaf614f422f6a889ed24d9a6031564235ff3f7a7a97bdc"], "mail": [], "ip": ["75.127.1.211"], "domain": [], "url": ["75.127.1.211/svch/vbc.exe", "75.127.1.211/svch/document.doc"], "tweet": {"user": "JAMESWT_MHT", "tweet": "#AgentTesla #DHL \nDoc\n https://bazaar.abuse.ch/sample/30d0c917e8ddfc0a698133c3a96135e25c3957913096d252a31b91ea89adc671/\n>\ndoc\n https://bazaar.abuse.ch/sample/4a25856a07811127b8f1b492abc00f953572f0c6bee4e5c1056c0af93528ca68/\nexe also caught by @James_inthe_box \n https://bazaar.abuse.ch/sample/b4f20bb869575d8b20aaf614f422f6a889ed24d9a6031564235ff3f7a7a97bdc\n75.127.1.211/svch/document.doc\n75.127.1.211/svch/vbc.exe\ncc @guelfoweb @AgidCert @FBussoletti @malwrhunterteam @verovaleros @sugimu_sec \n\ud83d\udd3d https://twitter.com/JAMESWT_MHT/status/1319932531039404032/photo/1", "id": "1319932531039404032", "retweets": 8, "link": "https://twitter.com/JAMESWT_MHT/status/1319932531039404032", "mentions": ["@James_inthe_box", "@guelfoweb", "@AgidCert", "@FBussoletti", "@malwrhunterteam", "@verovaleros", "@sugimu_sec"], "hashtags": ["#AgentTesla", "#DHL"], "date": {"$date": 1603531413000}, "timestamp": 1603524213}}, {"reference": ["https://www.virustotal.com/gui/file/c43333cb1a1ed11d157cfd471881c0bfa89400e12923f42bc526ad0954468bdc/detection/f-c43333cb1a1ed11d157cfd471881c0bfa89400e12923f42bc526ad0954468bdc-1599042619"], "md5": [], "sha1": [], "sha256": ["c43333cb1a1ed11d157cfd471881c0bfa89400e12923f42bc526ad0954468bdc"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 59\nVirusTotal: https://www.virustotal.com/gui/file/c43333cb1a1ed11d157cfd471881c0bfa89400e12923f42bc526ad0954468bdc/detection/f-c43333cb1a1ed11d157cfd471881c0bfa89400e12923f42bc526ad0954468bdc-1599042619\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319932909533483010", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319932909533483010", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603531503000}, "timestamp": 1603524303}}, {"reference": ["https://twitter.com/fbgwls245/status/1319940723077120000/photo/1"], "md5": ["3FA08A11D59047A429DD90FCC15A6A87"], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "fbgwls245", "tweet": "Russia #Ransomware\n3FA08A11D59047A429DD90FCC15A6A87\n.pizhon-(Random)\n@BleepinComputer @demonslay335 @Amigo_A_ @siri_urz https://twitter.com/fbgwls245/status/1319940723077120000/photo/1", "id": "1319940723077120000", "retweets": 4, "link": "https://twitter.com/fbgwls245/status/1319940723077120000", "mentions": ["@BleepinComputer", "@demonslay335", "@Amigo_A_", "@siri_urz"], "hashtags": ["#Ransomware"], "date": {"$date": 1603533366000}, "timestamp": 1603526166}}, {"reference": ["https://www.virustotal.com/gui/file/c8bd5b5784e0a32df6b43b057f0ce459b1213f7dba49746fd6658c106e11afb8/detection/f-c8bd5b5784e0a32df6b43b057f0ce459b1213f7dba49746fd6658c106e11afb8-1576484468"], "md5": [], "sha1": [], "sha256": ["c8bd5b5784e0a32df6b43b057f0ce459b1213f7dba49746fd6658c106e11afb8"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 63\nVirusTotal: https://www.virustotal.com/gui/file/c8bd5b5784e0a32df6b43b057f0ce459b1213f7dba49746fd6658c106e11afb8/detection/f-c8bd5b5784e0a32df6b43b057f0ce459b1213f7dba49746fd6658c106e11afb8-1576484468\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319944231427997696", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319944231427997696", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603534202000}, "timestamp": 1603527002}}, {"reference": [], "md5": ["A2FDE6727F4D0471FA0E8E4B32F52061", "871F73CAE5A89A673F8E668BD38CA409"], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "fbgwls245", "tweet": "A2FDE6727F4D0471FA0E8E4B32F52061\n871F73CAE5A89A673F8E668BD38CA409", "id": "1319945547608805376", "retweets": 1, "link": "https://twitter.com/fbgwls245/status/1319945547608805376", "mentions": [], "hashtags": [], "date": {"$date": 1603534516000}, "timestamp": 1603527316}}, {"reference": ["https://www.virustotal.com/gui/file/1b067c94b3ad4aabe606ba30c88c2ed2454e83b0cd41677d13cf3ab84d25a891/detection/f-1b067c94b3ad4aabe606ba30c88c2ed2454e83b0cd41677d13cf3ab84d25a891-1594605856"], "md5": [], "sha1": [], "sha256": ["1b067c94b3ad4aabe606ba30c88c2ed2454e83b0cd41677d13cf3ab84d25a891"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 65\nVirusTotal: https://www.virustotal.com/gui/file/1b067c94b3ad4aabe606ba30c88c2ed2454e83b0cd41677d13cf3ab84d25a891/detection/f-1b067c94b3ad4aabe606ba30c88c2ed2454e83b0cd41677d13cf3ab84d25a891-1594605856\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319946747423166466", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319946747423166466", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603534802000}, "timestamp": 1603527602}}, {"reference": ["https://www.virustotal.com/gui/file/36dde0acce43dac1e5baa8e4b121a96f9aa0315c4386a203f6ea4e56534c7859/detection/f-36dde0acce43dac1e5baa8e4b121a96f9aa0315c4386a203f6ea4e56534c7859-1600959598"], "md5": [], "sha1": [], "sha256": ["36dde0acce43dac1e5baa8e4b121a96f9aa0315c4386a203f6ea4e56534c7859"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 63\nVirusTotal: https://www.virustotal.com/gui/file/36dde0acce43dac1e5baa8e4b121a96f9aa0315c4386a203f6ea4e56534c7859/detection/f-36dde0acce43dac1e5baa8e4b121a96f9aa0315c4386a203f6ea4e56534c7859-1600959598\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319949262982172672", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319949262982172672", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603535402000}, "timestamp": 1603528202}}, {"reference": ["https://www.virustotal.com/gui/file/821be1fb077ab40f151581c15b4c342bf99ca7427d8d495e88b44a39deac1739/detection/f-821be1fb077ab40f151581c15b4c342bf99ca7427d8d495e88b44a39deac1739-1594014917"], "md5": [], "sha1": [], "sha256": ["821be1fb077ab40f151581c15b4c342bf99ca7427d8d495e88b44a39deac1739"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/821be1fb077ab40f151581c15b4c342bf99ca7427d8d495e88b44a39deac1739/detection/f-821be1fb077ab40f151581c15b4c342bf99ca7427d8d495e88b44a39deac1739-1594014917\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319954297296179203", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319954297296179203", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603536602000}, "timestamp": 1603529402}}, {"reference": ["https://www.virustotal.com/gui/ip-address/162.241.127.207/relations", "https://twitter.com/teamdreier/status/1319956056794157060/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["162.241.127.207"], "domain": [], "url": [], "tweet": {"user": "TeamDreier", "tweet": "#Phishing #BEC_fraud\nO365 BEC fraud >300 BEC attacks against company's. gov and more worldwide with the ExRobotos V2 2019 phishkit\nYou can follow the attacks on virustotal and see everything with SIE Europe pDNS. Let the hunt begin ;-)\n https://www.virustotal.com/gui/ip-address/162.241.127.207/relations\n@peterkruse https://twitter.com/TeamDreier/status/1319956056794157060/photo/1", "id": "1319956056794157060", "retweets": 3, "link": "https://twitter.com/TeamDreier/status/1319956056794157060", "mentions": ["@peterkruse"], "hashtags": ["#Phishing", "#BEC_fraud"], "date": {"$date": 1603537022000}, "timestamp": 1603529822}}, {"reference": ["https://www.virustotal.com/gui/file/b6f30461db13d84d4c28627955137bf0b1f53b9bd1a76f0484baf0a3ffe1c212/detection/f-b6f30461db13d84d4c28627955137bf0b1f53b9bd1a76f0484baf0a3ffe1c212-1588896043"], "md5": [], "sha1": [], "sha256": ["b6f30461db13d84d4c28627955137bf0b1f53b9bd1a76f0484baf0a3ffe1c212"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 68\nVirusTotal: https://www.virustotal.com/gui/file/b6f30461db13d84d4c28627955137bf0b1f53b9bd1a76f0484baf0a3ffe1c212/detection/f-b6f30461db13d84d4c28627955137bf0b1f53b9bd1a76f0484baf0a3ffe1c212-1588896043\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319961847123070977", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319961847123070977", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603538402000}, "timestamp": 1603531202}}, {"reference": ["https://www.virustotal.com/gui/file/8da2855fa72685bb0c7d5c1105169322b4f243e0bc61673a176eed68ade7db52/detection/f-8da2855fa72685bb0c7d5c1105169322b4f243e0bc61673a176eed68ade7db52-1598034924"], "md5": [], "sha1": [], "sha256": ["8da2855fa72685bb0c7d5c1105169322b4f243e0bc61673a176eed68ade7db52"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 56\nVirusTotal: https://www.virustotal.com/gui/file/8da2855fa72685bb0c7d5c1105169322b4f243e0bc61673a176eed68ade7db52/detection/f-8da2855fa72685bb0c7d5c1105169322b4f243e0bc61673a176eed68ade7db52-1598034924\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319964363399286784", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319964363399286784", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603539002000}, "timestamp": 1603531802}}, {"reference": ["https://www.virustotal.com/gui/file/a02a8029b5dc1cc09cd49efa4db79ab8538b9edefed9c15a5ed70fe70d89a206/detection/f-a02a8029b5dc1cc09cd49efa4db79ab8538b9edefed9c15a5ed70fe70d89a206-1600781847"], "md5": [], "sha1": [], "sha256": ["a02a8029b5dc1cc09cd49efa4db79ab8538b9edefed9c15a5ed70fe70d89a206"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 58\nVirusTotal: https://www.virustotal.com/gui/file/a02a8029b5dc1cc09cd49efa4db79ab8538b9edefed9c15a5ed70fe70d89a206/detection/f-a02a8029b5dc1cc09cd49efa4db79ab8538b9edefed9c15a5ed70fe70d89a206-1600781847\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319966878647857152", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319966878647857152", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603539602000}, "timestamp": 1603532402}}, {"reference": ["https://www.virustotal.com/gui/file/eca1bfeb0c6a3a15e21aeb237ff4aabddd141ca265c6086fdbf8fbf2e0756a98/detection/f-eca1bfeb0c6a3a15e21aeb237ff4aabddd141ca265c6086fdbf8fbf2e0756a98-1603534047"], "md5": [], "sha1": [], "sha256": ["eca1bfeb0c6a3a15e21aeb237ff4aabddd141ca265c6086fdbf8fbf2e0756a98"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 61\nVirusTotal: https://www.virustotal.com/gui/file/eca1bfeb0c6a3a15e21aeb237ff4aabddd141ca265c6086fdbf8fbf2e0756a98/detection/f-eca1bfeb0c6a3a15e21aeb237ff4aabddd141ca265c6086fdbf8fbf2e0756a98-1603534047\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1319974429389148163", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1319974429389148163", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603541402000}, "timestamp": 1603534202}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/hsB2yycz"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 2 IOC update\n https://pastebin.com/hsB2yycz", "id": "1319974457478434816", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1319974457478434816", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603541409000}, "timestamp": 1603534209}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/3xKTjDiV"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 1 IOC update\n https://pastebin.com/3xKTjDiV", "id": "1319974569764151296", "retweets": 1, "link": "https://twitter.com/Cryptolaemus1/status/1319974569764151296", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603541436000}, "timestamp": 1603534236}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/Gssw7UYB"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 3 IOC update\n https://pastebin.com/Gssw7UYB", "id": "1319975037512896513", "retweets": 1, "link": "https://twitter.com/Cryptolaemus1/status/1319975037512896513", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603541547000}, "timestamp": 1603534347}}, {"reference": ["https://www.virustotal.com/"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["file.io"], "url": ["http://file.io"], "tweet": {"user": "evidencenotfear", "tweet": "@PropaPanda1 @CherylBoruszko @Vernia @StandUpX2 There are a bunch of services available. http://file.io comes up as clean but I personally haven't used it.\n\nDo a web search for a service and check against\n https://www.virustotal.com/", "id": "1319988789159276545", "retweets": 0, "link": "https://twitter.com/evidencenotfear/status/1319988789159276545", "mentions": ["@PropaPanda1", "@CherylBoruszko", "@Vernia", "@StandUpX2"], "hashtags": [], "date": {"$date": 1603544826000}, "timestamp": 1603537626}}, {"reference": ["https://fr.libreoffice.org/"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["fr.libreoffice.org"], "url": ["https://fr.libreoffice.org"], "tweet": {"user": "yvesago", "tweet": "@KtzwaA https://fr.libreoffice.org/ et tu ne seras plus jamais emmerd\u00e9e", "id": "1320001355117973504", "retweets": 0, "link": "https://twitter.com/yvesago/status/1320001355117973504", "mentions": ["@KtzwaA"], "hashtags": [], "date": {"$date": 1603547822000}, "timestamp": 1603540622}}, {"reference": ["https://www.virustotal.com/gui/file/6f6cf26d5f42c6ba2eaa871427584a87dbe047a0a7f4164248fe375ee9ac2f16/detection/f-6f6cf26d5f42c6ba2eaa871427584a87dbe047a0a7f4164248fe375ee9ac2f16-1585563998"], "md5": [], "sha1": [], "sha256": ["6f6cf26d5f42c6ba2eaa871427584a87dbe047a0a7f4164248fe375ee9ac2f16"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 63\nVirusTotal: https://www.virustotal.com/gui/file/6f6cf26d5f42c6ba2eaa871427584a87dbe047a0a7f4164248fe375ee9ac2f16/detection/f-6f6cf26d5f42c6ba2eaa871427584a87dbe047a0a7f4164248fe375ee9ac2f16-1585563998\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320004630210842625", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320004630210842625", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603548602000}, "timestamp": 1603541402}}, {"reference": ["https://www.virustotal.com/gui/file/5e847a2c88501d1a6be68e38ade8046e44222fa7898a6fc2ee71fe1f3a1e442c/detection/f-5e847a2c88501d1a6be68e38ade8046e44222fa7898a6fc2ee71fe1f3a1e442c-1568650951"], "md5": [], "sha1": [], "sha256": ["5e847a2c88501d1a6be68e38ade8046e44222fa7898a6fc2ee71fe1f3a1e442c"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 61\nVirusTotal: https://www.virustotal.com/gui/file/5e847a2c88501d1a6be68e38ade8046e44222fa7898a6fc2ee71fe1f3a1e442c/detection/f-5e847a2c88501d1a6be68e38ade8046e44222fa7898a6fc2ee71fe1f3a1e442c-1568650951\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320008402110713856", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320008402110713856", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603549502000}, "timestamp": 1603542302}}, {"reference": ["https://www.virustotal.com/gui/file/b97960c29b7c8234981728b80060a42dbe32bf625b052854a6cc2175467cca89/detection"], "md5": [], "sha1": [], "sha256": ["b97960c29b7c8234981728b80060a42dbe32bf625b052854a6cc2175467cca89"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "arekfurt", "tweet": "@SBousseaden Yeah. looks like Hancitor. That figures.\n https://www.virustotal.com/gui/file/b97960c29b7c8234981728b80060a42dbe32bf625b052854a6cc2175467cca89/detection", "id": "1320012999948701697", "retweets": 0, "link": "https://twitter.com/arekfurt/status/1320012999948701697", "mentions": ["@SBousseaden"], "hashtags": [], "date": {"$date": 1603550598000}, "timestamp": 1603543398}}, {"reference": ["https://www.virustotal.com/gui/file/f5a90fa8e1e0441ebd100609bc51654ecdcf271fc6b0b8d1d5a1c1fc3584b49e/detection/f-f5a90fa8e1e0441ebd100609bc51654ecdcf271fc6b0b8d1d5a1c1fc3584b49e-1542392985"], "md5": [], "sha1": [], "sha256": ["f5a90fa8e1e0441ebd100609bc51654ecdcf271fc6b0b8d1d5a1c1fc3584b49e"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 51\nVirusTotal: https://www.virustotal.com/gui/file/f5a90fa8e1e0441ebd100609bc51654ecdcf271fc6b0b8d1d5a1c1fc3584b49e/detection/f-f5a90fa8e1e0441ebd100609bc51654ecdcf271fc6b0b8d1d5a1c1fc3584b49e-1542392985\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320031053634031618", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320031053634031618", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603554902000}, "timestamp": 1603547702}}, {"reference": ["https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/community"], "md5": [], "sha1": [], "sha256": ["e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "m0rb", "tweet": "2020-10-24T15:58:16 - Commented: https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/community #malware #commandinjection", "id": "1320031867811319808", "retweets": 0, "link": "https://twitter.com/m0rb/status/1320031867811319808", "mentions": [], "hashtags": ["#malware", "#commandinjection"], "date": {"$date": 1603555096000}, "timestamp": 1603547896}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/F52r4pNg"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 2 IOC update\n https://pastebin.com/F52r4pNg", "id": "1320034806026129409", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1320034806026129409", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603555797000}, "timestamp": 1603548597}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/Jq2Azx6u"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 1 IOC update\n https://pastebin.com/Jq2Azx6u", "id": "1320034872514256903", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1320034872514256903", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603555813000}, "timestamp": 1603548613}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/ZcYvKDLb"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 3 IOC update\n https://pastebin.com/ZcYvKDLb", "id": "1320035496563777538", "retweets": 0, "link": "https://twitter.com/Cryptolaemus1/status/1320035496563777538", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603555962000}, "timestamp": 1603548762}}, {"reference": ["https://www.cnet.com/news/new-york-sues-dunkin-donuts-over-hack-affecting-thousands-of-people/"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["www.cnet.com"], "url": ["https://www.cnet.com/news/new-york-sues-dunkin-donuts-over-hack-affecting-thousands-of-people"], "tweet": {"user": "pmelson", "tweet": "@ysmithnd I\u2019m just gonna leave this here.. https://www.cnet.com/news/new-york-sues-dunkin-donuts-over-hack-affecting-thousands-of-people/", "id": "1320040894129733637", "retweets": 1, "link": "https://twitter.com/pmelson/status/1320040894129733637", "mentions": ["@ysmithnd"], "hashtags": [], "date": {"$date": 1603557248000}, "timestamp": 1603550048}}, {"reference": ["https://www.virustotal.com/gui/file/2956e467c009a30673443cb003979891d4142e1ccdd41e135b1f9bc0f332ae9d/detection/f-2956e467c009a30673443cb003979891d4142e1ccdd41e135b1f9bc0f332ae9d-1564030768"], "md5": [], "sha1": [], "sha256": ["2956e467c009a30673443cb003979891d4142e1ccdd41e135b1f9bc0f332ae9d"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 64\nVirusTotal: https://www.virustotal.com/gui/file/2956e467c009a30673443cb003979891d4142e1ccdd41e135b1f9bc0f332ae9d/detection/f-2956e467c009a30673443cb003979891d4142e1ccdd41e135b1f9bc0f332ae9d-1564030768\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320043636076281863", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320043636076281863", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603557902000}, "timestamp": 1603550702}}, {"reference": ["https://www.virustotal.com/gui/file/3d1cc5fb2fc37f326ff56e19fa2c4ffd2c92fd41ce1926e61382ed58c7d9ed48/detection/f-3d1cc5fb2fc37f326ff56e19fa2c4ffd2c92fd41ce1926e61382ed58c7d9ed48-1583186717"], "md5": [], "sha1": [], "sha256": ["3d1cc5fb2fc37f326ff56e19fa2c4ffd2c92fd41ce1926e61382ed58c7d9ed48"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 68\nVirusTotal: https://www.virustotal.com/gui/file/3d1cc5fb2fc37f326ff56e19fa2c4ffd2c92fd41ce1926e61382ed58c7d9ed48/detection/f-3d1cc5fb2fc37f326ff56e19fa2c4ffd2c92fd41ce1926e61382ed58c7d9ed48-1583186717\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320044896091340802", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320044896091340802", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603558203000}, "timestamp": 1603551003}}, {"reference": ["https://www.virustotal.com/gui/file/50a41d75138c51379fd1fcc8388d0c2818acfc538be821132697c37e71e36d2d/detection/f-50a41d75138c51379fd1fcc8388d0c2818acfc538be821132697c37e71e36d2d-1587688586"], "md5": [], "sha1": [], "sha256": ["50a41d75138c51379fd1fcc8388d0c2818acfc538be821132697c37e71e36d2d"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 66\nVirusTotal: https://www.virustotal.com/gui/file/50a41d75138c51379fd1fcc8388d0c2818acfc538be821132697c37e71e36d2d/detection/f-50a41d75138c51379fd1fcc8388d0c2818acfc538be821132697c37e71e36d2d-1587688586\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320053702850453504", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320053702850453504", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603560302000}, "timestamp": 1603553102}}, {"reference": ["https://bazaar.abuse.ch/sample/06001437f8438e2f8d4027e4e0661e605fc37388098043e1391c7bc3abec6d2e/", "https://twitter.com/felipetarijon/status/1320053946589773826/photo/1"], "md5": [], "sha1": [], "sha256": ["06001437f8438e2f8d4027e4e0661e605fc37388098043e1391c7bc3abec6d2e"], "mail": [], "ip": [], "domain": ["graceland777.ddns.net"], "url": [], "tweet": {"user": "felipetarijon", "tweet": "Analyzing this avemaria stealer:\n\nOrden CW62175Q. pdf.exe\nTime Stamp: 2020:10:23 11:26:03-03:00\n https://bazaar.abuse.ch/sample/06001437f8438e2f8d4027e4e0661e605fc37388098043e1391c7bc3abec6d2e/\n \nc2: graceland777.ddns.net (port 7773)\n\n#AVE_MARIA https://twitter.com/felipetarijon/status/1320053946589773826/photo/1", "id": "1320053946589773826", "retweets": 0, "link": "https://twitter.com/felipetarijon/status/1320053946589773826", "mentions": [], "hashtags": ["#AVE_MARIA"], "date": {"$date": 1603560360000}, "timestamp": 1603553160}}, {"reference": ["https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/)."], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["109.92.5.143"], "domain": [], "url": [], "tweet": {"user": "bad_packets", "tweet": "Mass scanning activity detected from 109.92.5.143 (\ud83c\uddf7\ud83c\uddf8) attempting to exploit Citrix (NetScaler) servers vulnerable to CVE-2019-19781 ( https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/).\n\nQuery our API for \"tags= CVE-2019-19781\" for the full payload and relevant indicators. #threatintel", "id": "1320065027571806209", "retweets": 8, "link": "https://twitter.com/bad_packets/status/1320065027571806209", "mentions": [], "hashtags": ["#threatintel"], "date": {"$date": 1603563002000}, "timestamp": 1603555802}}, {"reference": ["https://nvd.nist.gov/vuln/detail/cve-2019-11510).", "https://twitter.com/bad_packets/status/1320065628548419584/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["12.239.13.148"], "domain": [], "url": [], "tweet": {"user": "bad_packets", "tweet": "Mass scanning activity detected from 12.239.13.148 (\ud83c\uddfa\ud83c\uddf8) checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510 ( https://nvd.nist.gov/vuln/detail/CVE-2019-11510). #threatintel https://twitter.com/bad_packets/status/1320065628548419584/photo/1", "id": "1320065628548419584", "retweets": 6, "link": "https://twitter.com/bad_packets/status/1320065628548419584", "mentions": [], "hashtags": ["#threatintel"], "date": {"$date": 1603563146000}, "timestamp": 1603555946}}, {"reference": ["https://www.virustotal.com/gui/file/313489c1baa31ea7bf32daf144a67f86767ddc1f12aaf1f4f7445a20447a8a18/detection", "https://twitter.com/3xs0/status/1320078077960032258/photo/1"], "md5": [], "sha1": [], "sha256": ["313489c1baa31ea7bf32daf144a67f86767ddc1f12aaf1f4f7445a20447a8a18"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "3XS0", "tweet": "#Rogue (HiddenTear) #Ransomware extension .rogue!\nRansom note;READ_IT.txt\nSample https://www.virustotal.com/gui/file/313489c1baa31ea7bf32daf144a67f86767ddc1f12aaf1f4f7445a20447a8a18/detection https://twitter.com/3XS0/status/1320078077960032258/photo/1", "id": "1320078077960032258", "retweets": 2, "link": "https://twitter.com/3XS0/status/1320078077960032258", "mentions": [], "hashtags": ["#Rogue", "#Ransomware"], "date": {"$date": 1603566114000}, "timestamp": 1603558914}}, {"reference": ["https://www.virustotal.com/gui/file/b66a49e25cd0faeaf683453bdcfdd98ccd83672d4d4d3fcc98e9a19527ac863d/detection/f-b66a49e25cd0faeaf683453bdcfdd98ccd83672d4d4d3fcc98e9a19527ac863d-1577498717"], "md5": [], "sha1": [], "sha256": ["b66a49e25cd0faeaf683453bdcfdd98ccd83672d4d4d3fcc98e9a19527ac863d"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 65\nVirusTotal: https://www.virustotal.com/gui/file/b66a49e25cd0faeaf683453bdcfdd98ccd83672d4d4d3fcc98e9a19527ac863d/detection/f-b66a49e25cd0faeaf683453bdcfdd98ccd83672d4d4d3fcc98e9a19527ac863d-1577498717\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320078868770902016", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320078868770902016", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603566302000}, "timestamp": 1603559102}}, {"reference": ["https://www.virustotal.com/gui/file/d419db3b604a35467b11300873213986f310e44dba7da34d692eefcb46003d39/details", "https://twitter.com/3xs0/status/1320080492507598848/photo/1"], "md5": [], "sha1": [], "sha256": ["d419db3b604a35467b11300873213986f310e44dba7da34d692eefcb46003d39"], "mail": [], "ip": [], "domain": ["valhalla.nextron-systems.com"], "url": ["https://valhalla.nextron-systems.com/info/rule/SUSP_Microsoft_Typo"], "tweet": {"user": "3XS0", "tweet": "Idea: Let's detect malware by typos made by clumsy threat actors .. \n\nEdge Update\n https://www.virustotal.com/gui/file/d419db3b604a35467b11300873213986f310e44dba7da34d692eefcb46003d39/details\n\nRule Info Page\n https://valhalla.nextron-systems.com/info/rule/SUSP_Microsoft_Typo https://twitter.com/3XS0/status/1320080492507598848/photo/1", "id": "1320080492507598848", "retweets": 0, "link": "https://twitter.com/3XS0/status/1320080492507598848", "mentions": [], "hashtags": [], "date": {"$date": 1603566689000}, "timestamp": 1603559489}}, {"reference": ["https://www.virustotal.com/gui/file/27dc5e7a6760074f3bb0a846b6d079ae53f33b86efed37a45749dfebc2ddfa2b/detection", "https://twitter.com/3xs0/status/1320082951133122560/photo/1", "https://www.virustotal.com/gui/file/4c097f4520611580ec899476d6a20b246bece3e7b4400f24fac948a766f2c620/detection", "https://www.virustotal.com/gui/file/3b594b0222c477d6841ae81621e6ec44764d6f7e5273d1c0842eb2515a13a64f/detection"], "md5": [], "sha1": [], "sha256": ["27dc5e7a6760074f3bb0a846b6d079ae53f33b86efed37a45749dfebc2ddfa2b", "4c097f4520611580ec899476d6a20b246bece3e7b4400f24fac948a766f2c620", "3b594b0222c477d6841ae81621e6ec44764d6f7e5273d1c0842eb2515a13a64f"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "3XS0", "tweet": "This PoC maldoc extracts a payload from a zip file to run as a scheduled task. Where does the zip file come from? It's the .DOCM itself saved as a ZIP!\n\ud83d\udcce https://www.virustotal.com/gui/file/27dc5e7a6760074f3bb0a846b6d079ae53f33b86efed37a45749dfebc2ddfa2b/detection\n\ud83d\udcce https://www.virustotal.com/gui/file/4c097f4520611580ec899476d6a20b246bece3e7b4400f24fac948a766f2c620/detection\n\ud83d\udcce https://www.virustotal.com/gui/file/3b594b0222c477d6841ae81621e6ec44764d6f7e5273d1c0842eb2515a13a64f/detection https://twitter.com/3XS0/status/1320082951133122560/photo/1", "id": "1320082951133122560", "retweets": 0, "link": "https://twitter.com/3XS0/status/1320082951133122560", "mentions": [], "hashtags": [], "date": {"$date": 1603567276000}, "timestamp": 1603560076}}, {"reference": ["https://twitter.com/3xs0/status/1320085335674654726/photo/1", "https://www.virustotal.com/gui/url/b98c05288a2d365734a96061e65b716a55547c9ee029933c071164d9fa470c65/details)"], "md5": [], "sha1": [], "sha256": ["b98c05288a2d365734a96061e65b716a55547c9ee029933c071164d9fa470c65"], "mail": [], "ip": ["122.3.141.177"], "domain": [], "url": ["http://122.3.141.177:54047/Mozi.m"], "tweet": {"user": "3XS0", "tweet": "Active DDoS malware payload detected:\n http://122.3.141.177:54047/Mozi.m ( https://www.virustotal.com/gui/url/b98c05288a2d365734a96061e65b716a55547c9ee029933c071164d9fa470c65/details)\n\nExploit attempt source IP: 122.3.141.177 (\ud83c\uddf5\ud83c\udded)\n\nTarget: Netgear router RCE vulnerability \n#threatintel https://twitter.com/3XS0/status/1320085335674654726/photo/1", "id": "1320085335674654726", "retweets": 1, "link": "https://twitter.com/3XS0/status/1320085335674654726", "mentions": [], "hashtags": ["#threatintel"], "date": {"$date": 1603567844000}, "timestamp": 1603560644}}, {"reference": ["https://twitter.com/3xs0/status/1320090170251771906/photo/1", "https://www.virustotal.com/gui/file/8c0df145e46bbf9e022396daacabf21b5b4ba1b485d15347af75ac8f65ce34f5/detection"], "md5": [], "sha1": [], "sha256": ["8c0df145e46bbf9e022396daacabf21b5b4ba1b485d15347af75ac8f65ce34f5"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "3XS0", "tweet": "#Emotet is now using a new template.\nThe malicious macro execute an obfuscated PS.\nFirst submission: 2020-10-14 08:21:05\n\nVT: https://www.virustotal.com/gui/file/8c0df145e46bbf9e022396daacabf21b5b4ba1b485d15347af75ac8f65ce34f5/detection\n\n#malware https://twitter.com/3XS0/status/1320090170251771906/photo/1", "id": "1320090170251771906", "retweets": 1, "link": "https://twitter.com/3XS0/status/1320090170251771906", "mentions": [], "hashtags": ["#Emotet", "#malware"], "date": {"$date": 1603568997000}, "timestamp": 1603561797}}, {"reference": ["https://www.virustotal.com/gui/file/f7c133120c41db70a0b1adb0e3235e137391ee7f035773fdea6052e736b5a129/detection"], "md5": [], "sha1": [], "sha256": ["f7c133120c41db70a0b1adb0e3235e137391ee7f035773fdea6052e736b5a129"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "3XS0", "tweet": "Uploaded the unpacked and deobfuscated Venom RAT here:\n https://www.virustotal.com/gui/file/f7c133120c41db70a0b1adb0e3235e137391ee7f035773fdea6052e736b5a129/detection", "id": "1320092583998197761", "retweets": 0, "link": "https://twitter.com/3XS0/status/1320092583998197761", "mentions": [], "hashtags": [], "date": {"$date": 1603569572000}, "timestamp": 1603562372}}, {"reference": ["https://www.virustotal.com/gui/file/f1f5dbde6dec8b4fa879c27157db7a4e4bde5b4c21b4e8e7f2134b7273a1670b/detection/f-f1f5dbde6dec8b4fa879c27157db7a4e4bde5b4c21b4e8e7f2134b7273a1670b-1584925144"], "md5": [], "sha1": [], "sha256": ["f1f5dbde6dec8b4fa879c27157db7a4e4bde5b4c21b4e8e7f2134b7273a1670b"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 65\nVirusTotal: https://www.virustotal.com/gui/file/f1f5dbde6dec8b4fa879c27157db7a4e4bde5b4c21b4e8e7f2134b7273a1670b/detection/f-f1f5dbde6dec8b4fa879c27157db7a4e4bde5b4c21b4e8e7f2134b7273a1670b-1584925144\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320092708963311617", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320092708963311617", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603569602000}, "timestamp": 1603562402}}, {"reference": ["https://www.virustotal.com/gui/file/6dfc4df852a57637f0e81d011b321ee466eb49068c4c3a0c798d28a2b725eb5a/detection/f-6dfc4df852a57637f0e81d011b321ee466eb49068c4c3a0c798d28a2b725eb5a-1595292601"], "md5": [], "sha1": [], "sha256": ["6dfc4df852a57637f0e81d011b321ee466eb49068c4c3a0c798d28a2b725eb5a"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 63\nVirusTotal: https://www.virustotal.com/gui/file/6dfc4df852a57637f0e81d011b321ee466eb49068c4c3a0c798d28a2b725eb5a/detection/f-6dfc4df852a57637f0e81d011b321ee466eb49068c4c3a0c798d28a2b725eb5a-1595292601\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320093969557213184", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320093969557213184", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603569903000}, "timestamp": 1603562703}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/vZ1hB18c"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 1 IOC update\n https://pastebin.com/vZ1hB18c", "id": "1320095270588289024", "retweets": 1, "link": "https://twitter.com/Cryptolaemus1/status/1320095270588289024", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603570213000}, "timestamp": 1603563013}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pastebin.com"], "url": ["https://pastebin.com/UbVbKmyD"], "tweet": {"user": "Cryptolaemus1", "tweet": "URLhaus #emotet Epoch 3 IOC update\n https://pastebin.com/UbVbKmyD", "id": "1320095778891759618", "retweets": 1, "link": "https://twitter.com/Cryptolaemus1/status/1320095778891759618", "mentions": [], "hashtags": ["#emotet"], "date": {"$date": 1603570334000}, "timestamp": 1603563134}}, {"reference": ["https://www.virustotal.com/gui/file/88f8a85adcecb8f95df806164423deed21d5869da5f9d13f7fa90b83897aa167/detection/f-88f8a85adcecb8f95df806164423deed21d5869da5f9d13f7fa90b83897aa167-1590218748"], "md5": [], "sha1": [], "sha256": ["88f8a85adcecb8f95df806164423deed21d5869da5f9d13f7fa90b83897aa167"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "HeliosCert", "tweet": "@HeliosCert\nSample analysed on #virustotal\nVirusTotal-Score: 63\nVirusTotal: https://www.virustotal.com/gui/file/88f8a85adcecb8f95df806164423deed21d5869da5f9d13f7fa90b83897aa167/detection/f-88f8a85adcecb8f95df806164423deed21d5869da5f9d13f7fa90b83897aa167-1590218748\nThreat: Ransom_WCRY.SMALYM (TrendMicro)", "id": "1320106549067587586", "retweets": 0, "link": "https://twitter.com/HeliosCert/status/1320106549067587586", "mentions": ["@HeliosCert"], "hashtags": ["#virustotal"], "date": {"$date": 1603572902000}, "timestamp": 1603565702}}, {"reference": ["https://twitter.com/bad_packets/status/1320117450357133312/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["5.253.84.197"], "domain": [], "url": ["http://5.253.84.197/bins/mirai.arm7"], "tweet": {"user": "bad_packets", "tweet": "Active DDoS malware command-and-control (C2) server detected. \n\nIP address: 5.253.84.197 (\ud83c\uddf3\ud83c\uddf1)\nHosting provider: HostSlick (AS208046)\n\nC2 ports:\n666/tcp\n6660/tcp\n9999/tcp\n\nTarget: \nAVTECH IP camera / DVR RCE (multiple)\n\nPayload:\n http://5.253.84.197/bins/mirai.arm7\n#threatintel https://twitter.com/bad_packets/status/1320117450357133312/photo/1", "id": "1320117450357133312", "retweets": 5, "link": "https://twitter.com/bad_packets/status/1320117450357133312", "mentions": [], "hashtags": ["#threatintel"], "date": {"$date": 1603575501000}, "timestamp": 1603568301}}, {"reference": ["https://www.virustotal.com/gui/file/cc9550541ca5ac5f22a597e707b9ce9e593b65cd0c88143bd0c240cb5d8d0655/detection", "https://twitter.com/grujars/status/1320118445732732933/photo/1"], "md5": [], "sha1": [], "sha256": ["cc9550541ca5ac5f22a597e707b9ce9e593b65cd0c88143bd0c240cb5d8d0655"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "GrujaRS", "tweet": "#Jigsaw #Evil #Ransomware extension .evil!\nSample https://www.virustotal.com/gui/file/cc9550541ca5ac5f22a597e707b9ce9e593b65cd0c88143bd0c240cb5d8d0655/detection https://twitter.com/GrujaRS/status/1320118445732732933/photo/1", "id": "1320118445732732933", "retweets": 0, "link": "https://twitter.com/GrujaRS/status/1320118445732732933", "mentions": [], "hashtags": ["#Jigsaw", "#Evil", "#Ransomware"], "date": {"$date": 1603575738000}, "timestamp": 1603568538}}]