← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Order
WHITE aclause21 2025-01-21 Modified: 2025-01-21
24907
IOCs
HIGH VOLUME
access ta0001defense evasionaccess ta0006commandcontrol ta0011impact ta0040catalog treeob0005 defenseevasion ob0006impact ob0008hashes capesandboxdocguardyomi hunterzenboxip trafficpattern domainsmemory patternurls httpsadversariesmitre attt1189 foundclickable urlspdf executiont1036createshide artifactsexploitatione1564 hiddenfilesdiscovery e1082e1203 datavhashssdeepfile typepdf documentmagic pdftrid adobeformatfile sizeunitedas32934passive dnsunknownscan endpointsall scoreblueipv4pulse pulsesurlsstatussearchshowingserver errorcertificatecreation datehigh assuranceserver cadatebodywin32ransomentriesicmp trafficpacking t1045t1045pdb pathpe resourceshowmalwarecopypushwriteaaaanxdomainunited kingdomthailandvietnamas45430hondurasindonesiamexicoslovakiadynamicloaderyara rulehighekyxexe eeofaeee edcje4jtofseewindowsmediumstreamgrumas15169 googlepulsesrecord valueerrorcnamename serversirelandnextfederation asnas49505labs pulsestrojantrojandropperrelated pulsesfile samplesfiles matchingdate hashcopyrightall searchreverse dnslocation unitedemails infoexpiration dateas51167 contabogermany unknowna nxdomainas40021 contaboencrypturl httphttpip addressrelated nidsfiles locationddosactivitycheckinwin64miraihostingfiles ipaddressczechia unknownas174 cogentasnone germanyas15598as16625 akamaiasnone unitedas20940as35994 akamaias12337 norispulse submiturl analysisbackdoorgmt cachesameorigin443 ma2592000suspiciousvirtoolemailsdomain namecodebrazilpolanddomainmsiewindows nttcp synresolverrorexploitexternalportinternalporthttp headershome networkdemonbotandarielyara detectionsmalware trafficnidsdns querygoogle safebrowsingwhoisvirustotalmtb aprasnone relatedopenhash avastavg clamavmsdefender apras8075content typeaccesscp buscur conofin ivdoonl ourphy samooverview ipflag unitedhostnamefiles domainas8068trojan featuresrsa tlsissuing camirai variantuseragentinboundrealtek sdkminiigd upnpsoap commandactivity miraihelloworldusersalertsanomalous filerecycle binfilehashav detectionsmemcommitread cmemreservefor privacychina unknownag albertopedrazholidaycheck agproject piimmobilien agpuma sekurt waltherag ingokraupatimo salzsiederrecord typettl valuemsms57295540subdomainsireland unknownanalyzer pasteiocssamplesregsetvalueexadefaultregdwordmodule loadt1129http requestprocess32nextwregbinaryoxypumpertoolsdockaprilpersistenceexecutiondownloadas62597 nsoneecho requestsweeppayload helloworldtotalpleasexportmainlookinstallserversfoundcnapple publicacceptchromemovedssl certificatewrite cinstallcorejunedelphias47846cookieas32787 akamaias714 applem1onelouderbrian sabeydenver coloradofakedout threatgmt contentx cachediv divas8972 hostfrance unknownregistrarotx scoreblueaddress domainas24940 hetzneras44273 hostasn as15598trojanspymail spammergermany mailspammerhichinadata redacteda domainswow64slcc2media centerportpowershellurls httptptjswvirusids detectionsgermanyas8560austriaas1921as14061whitelistedas16276script urlsas16552 tiggeeas9009 m247metaas29789detected m1mtb augserveras397241cryphostmasternetworksas19024gmt setcookiedeleterussia as49505sinkhole cookievalue snkzpe32possiblesusplnmplnmp alicessshellas63949 linodeas133618as21342cve201717215huawei remotehuawei hg532malware wormgafgytexploit nonebinbusyboxdelete codigicert incstwashingtonlredmondrsa cacapenondnsdenverredacted formethod statusurl hostnameip countrytype getdate tuegmt contenttypeconnectioncachecontrolexpires thugmt varypoland unknowntitlescript domainsupdated dateserce internetucnc beaconjavascriptwsasendpostdelete shadowsall quiett1047instrumentationrpcsms windowsasnone dnshttp hostip checksha256bitsadware malwareetpro malwarebiosguardtulachspectrumcyber folkstsara brashears.plcontactedkryptikxpappleiosandroidsabeycharter communicationsdenvecoloradoquantum fiberair forceswippermasqueradehitmenmitmwhiteskycyber warfarepornpornhub.software
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Ransom Tofsee TEL:CreateScheduledTask Mirai Unix.Trojan.Mirai-6981169-0 Backdoor:Win32/Tofsee Ransom:Win32/Haperlock Trojan:Win32/Neurevt DDoS:Linux/Gafgyt.YA!MTB CVE-2017-17215 CVE-2023-27350 CVE-2014-8361 Trojan:Win32/Zombie.A NIDS M1 OneLouder TrojanSpy Win.Trojan.Sarwent-10012602-0 Virus:Win32/Sivis.A Win.Trojan.Installcore-1177 Win.Malware.Oxypumper-6900435-0 Win.Malware.Qshell-9875653-0
Indicators of Compromise (4 / 24907 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname email CVE SSLCertFingerprint
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2017-17215 2025-01-21
CVE CVE-2023-27350 2025-01-21
CVE CVE-2014-8361 2025-01-21
CVE CVE-2023-4966 2025-01-21
References (32)
↗ DISTINCTIO8.pdf ↗ FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string ↗ IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set ↗ Tofsee: 'google.com' | https://www.gov50.icu | ↗ ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...) ↗ Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk ↗ Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing ↗ hubt.pornhub.com | www.pornhub.com | pornative.com ↗ https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/ ↗ www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/ ↗ Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da ↗ IDS Detections: WGET Command Specifying Output in HTTP Headers ↗ IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution ↗ Yara Detections: is__elf , DemonBot ↗ Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout ↗ FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c ↗ IDS Detections: Andariel Backdoor Activity (Checkin) ↗ Alerts: dead_host nids_malware_alert network_icmp nolookup_communication ↗ DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2 ↗ IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound ↗ IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST ↗ IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy ↗ http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/ ↗ https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com ↗ apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com ↗ autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com ↗ * https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit ↗ https://tulach.cc/ | tulach.cc | ↗ http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com ↗ google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl ↗ 18teen.net | teensnow.com | grannies-porn.net | pornmd.com ↗ www.pornhubselect.com | pornhub.software