ThreatFox IOC Database
You are viewing the ThreatFox database entry for url https://demo.alkhateeb.ae/yachted/sibling/.
Database Entry
| IOC ID: | 1836752 |
|---|---|
| IOC: | https://demo.alkhateeb.ae/yachted/sibling/ |
| IOC Type : | url |
| Threat Type : | payload_delivery |
| Malware: | Unknown malware |
| Confidence Level : | Confidence level is elevated (75%) |
| Is compromised? : | True |
| ASN: | AS19871 NETWORK-SOLUTIONS-HOSTING |
| Country: |  US |
| First seen: | 2026-06-24 08:23:57 UTC |
| Last seen: | never |
| UUID: | 37049545-6fa5-11f1-97fa-42010aa4000a |
| Reporter |  Decio1 |
| Reward | 5 credits from ThreatFox |
| Tags: | dotNET INVOICE Loader powershell vbs |
Decio1
German invoice-themed VBS payload delivery URL. The downloaded sample is named "DE00920020 Rechnung R-0209020026.vbs" and is detected as malicious by Joe Sandbox with score 100/100.Execution chain observed: wscript.exe -> hidden powershell.exe with ExecutionPolicy Bypass -> Base64 decode -> GZip decompression -> in-memory .NET assembly loading via [Reflection.Assembly]::Load() -> invocation of [Fiber.Program]::Main(...).
Sandbox behavior includes suspicious PowerShell command line, WScript dropper behavior, large payload staging through user environment variables, dynamic code loading, process injection / process hollowing indicators, anti-debugging via CheckRemoteDebuggerPresent, and HTTPS traffic to Cloudflare Workers infrastructure.
Outer VBS:
MD5: 21bf7fcfbf1f9d4474c923a533b38601
SHA1: 78401bb3200788712770e1a669f9afa3cc547113
SHA256: e2447cbf6815ee3b12954566a897a7ade16bce0cca5c06477c9781bcf9d30c58
Additional observed network IOC from sandbox:
https://blue-paper-f69f.acrypters.workers.dev/J0YH-KEUX-J9ID-2I7M/img_n0x6bn.png
Domain: blue-paper-f69f.acrypters.workers.dev
Resolved IPs: 188.114.97.12, 188.114.96.12
This IOC is submitted as payload_delivery because it is an initial download URL for the malicious VBS loader, not the observed C2 endpoint.