{
	"id": "76d0908e-51f4-4582-8aa4-8d62289e3e11",
	"created_at": "2026-04-06T00:09:32.660097Z",
	"updated_at": "2026-04-10T03:21:38.047739Z",
	"deleted_at": null,
	"sha1_hash": "bc5fa164c859235e1e3be207fa361438eb0391ab",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 288781,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy trainingstudent\r\nArchived: 2026-04-02 11:59:05 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 1 of 14\n\nWanaCrypt0r Ransomworm\r\nFileHash-MD5: 10 | URL: 1 | Domain: 5 | Hostname: 1\r\nCloned from https://otx.alienvault.com/pulse/591c4a4755434c05f8311424\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 2 of 14\n\n58 Subscribers\r\n157 Subscribers\r\n128 Subscribers\r\nThor Lite Windows 11 Enterprise - Scan of impacted AHS Workstation/Sample - 01.31.25 - Not\r\nEnriched\r\nCVE: 1 | FileHash-MD5: 1135 | FileHash-SHA1: 627 | FileHash-SHA256: 593 | SSLCertFingerprint: 5 | URL: 39\r\n| Domain: 5 | Email: 1 | Hostname: 11\r\nCompleted a Thor-Lite 64 Scan v. 10.7.18 on AHS Workstation/Sample Device Scan ID: S-5thsJ4jlWSA Signature\r\nDatabase: 2025/01/31-192845 Operators --intense --allfiles --vtkey *** --vtmode full Modules: Filescan 2, LogScan\r\n300, ProcessIntegrity 62 -\u003e Alerts 0, Warnings 18, Notice 350, Info 1423, Errors 0 Updated: 05.12.25\r\n128 Subscribers\r\n128 Subscribers\r\nThor Linux Lite Scan - Sample Device \u0026 SG2 - 02.07.25 - Unenriched\r\nCVE: 830 | FileHash-MD5: 701 | FileHash-SHA1: 871 | FileHash-SHA256: 897 | URL: 2920 | Domain: 388 |\r\nEmail: 17 | Hostname: 295\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 3 of 14\n\nTook a few tries but here is the complete thor Linux 64 Lite Scan on: Sample Device \u0026 a single drive (one of many) of\r\nthe 77 TB of: things I have but don't know what to do with --- Old Notes on previous scan attempts for this sample. See\r\nComments on VT MD5 de880994c51d4055c960e2d32db89774 SHA-1\r\n539e7c2eefd7a6aa17db436d83738c117f26798c SHA-256\r\na6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45 SSDEEP\r\n98304:hpUsCWtdIdOKfb44V0ipGuEwWPKhmMWMCURFfxzRq6R5qJJfrPOOD86U6BDfIokW:BKftFfuDfqAfPPfa4f3\r\nTLSH T10D571AC3C70811188D2373EBE1B4BA59BD06381EDECA9D59F08D642C97946467A2EDCF\r\n128 Subscribers\r\nThor Lite 64 - 10.09.24\r\nCVE: 13 | FileHash-MD5: 1136 | FileHash-SHA1: 647 | FileHash-SHA256: 604 | URL: 89 | Domain: 25 | Email: 2\r\n| Hostname: 47\r\nJust a Thor Lite 64 scan of 'things missed' on sample device.\r\n128 Subscribers\r\nThor Lite 64 and Orico Dive - 06.14.24\r\nFileHash-MD5: 932 | FileHash-SHA1: 483 | FileHash-SHA256: 510 | URL: 74 | Domain: 4 | Email: 1 | Hostname:\r\n47\r\nDescription SCANID: S-MYo9X22NxW8 Tags: crowdsourced base64-embedded contains-zip\r\n128 Subscribers\r\nThor Lite Scan Kano \u0026 SG2 - 06.12.24\r\nCVE: 10 | FileHash-MD5: 969 | FileHash-SHA1: 541 | FileHash-SHA256: 645 | URL: 168 | Domain: 29 | Email: 2\r\n| Hostname: 90\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 4 of 14\n\nJust a Thor-Lite scan of W11 Kano PC sample and SG2 Backup Drive 06.12.24:\r\nhttps://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?\r\ntheme=dark\r\n128 Subscribers\r\nThor-Lite - ASUS, SG1 \u0026 128 USB - 06.12.24\r\nCVE: 8 | FileHash-MD5: 1064 | FileHash-SHA1: 549 | FileHash-SHA256: 567 | URL: 105 | Domain: 19 | Email: 2\r\n| Hostname: 77\r\nJust a thor-lite scan of a sample W11 Asus Device, a backup drive, and a 128 GB US -Some false positives (b/c ya\r\nknow - community edition) 06.12.24:\r\nhttps://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?\r\ntheme=dark\r\n128 Subscribers\r\nThor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'\r\nCVE: 247 | FileHash-MD5: 1183 | FileHash-SHA1: 1553 | FileHash-SHA256: 1240 | URL: 486 | Domain: 294 |\r\nEmail: 8 | Hostname: 138\r\nPlease note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils\r\nutility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a\r\nrather small set of data. Have some more data to put up (picked up by Huntress Labs) - just have to get that back\r\nonline. Would love to accommodate for some confounding variables - e.g. filter for false positives, windows logs,\r\nnetworking capabilities (better than what I have now) to better inform the team taking care of me (us). Note: Given it\r\nwas using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that\r\n'falls in line' w. what I've come across. Just a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\r\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students\r\naffected that have been in contact with me or reached out).\r\n128 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 5 of 14\n\nUnix.Trojan.Mirai-6981158-0 | Win32/1ms0rry CoinMiner Botnet affects android user\r\nFileHash-MD5: 1195 | FileHash-SHA1: 745 | FileHash-SHA256: 1212 | URL: 2436 | Domain: 1264 | Email: 1 |\r\nHostname: 1148\r\nFound an IP address in block: http://100.116.0.0/? Found on android device user. Target is being tracked. Uses .ru but\r\ntracks back to US based on other studies. Command 'redirect blame' found in association. Active, moved.\r\n224 Subscribers\r\nThor Lite Scan - 10.7.15 - Ubuntu Scan on Archived Files\r\nCVE: 6108 | FileHash-MD5: 164 | FileHash-SHA1: 625 | FileHash-SHA256: 148 | URL: 2267 | Domain: 426 |\r\nEmail: 9 | Hostname: 400\r\nJoe-MBA_thor_2024-05-18_1025 Ubuntu 22.04.4 LTS Scan ID S-I9VvMTB6cZU hmmm...I can't tell if this is 'way\r\ntoo much' or 'probably fairly accurate'\r\n128 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 6 of 14\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 7 of 14\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 8 of 14\n\n181 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 9 of 14\n\n52 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 10 of 14\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 11 of 14\n\n181 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 12 of 14\n\n37 Subscribers\r\nIndicators Search\r\nShow expired indicators\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 13 of 14\n\nWe've found 236 indicators\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:DoublePulsar"
	],
	"report_names": [
		"pulses?q=tag:DoublePulsar"
	],
	"threat_actors": [],
	"ts_created_at": 1775434172,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc5fa164c859235e1e3be207fa361438eb0391ab.pdf",
		"text": "https://archive.orkl.eu/bc5fa164c859235e1e3be207fa361438eb0391ab.txt",
		"img": "https://archive.orkl.eu/bc5fa164c859235e1e3be207fa361438eb0391ab.jpg"
	}
}