{ "type": "IPv4", "indicator": "2.5.4.27", "general": { "whois": "http://whois.domaintools.com/2.5.4.27", "reputation": 0, "indicator": "2.5.4.27", "type": "IPv4", "type_title": "IPv4", "base_indicator": { "id": 3459228273, "indicator": "2.5.4.27", "type": "IPv4", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "6a03fda1f49694a8a727a708", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:30.475000", "created": "2026-05-13T04:27:13.098000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 72, "FileHash-SHA256": 142, "URL": 217, "domain": 283, "hostname": 468, "FileHash-SHA1": 38, "Mutex": 1, "IPv4": 310, "CVE": 8, "IPv6": 4, "email": 2 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda242b90bf795becbec", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:02.327000", "created": "2026-05-13T04:27:14.063000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA256": 125, "URL": 137, "domain": 434, "hostname": 200, "FileHash-SHA1": 23, "Mutex": 1, "IPv4": 235, "CVE": 9, "email": 4, "IPv6": 3 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda0034d0da956e10d35", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-13T07:11:11.647000", "created": "2026-05-13T04:27:12.240000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA256": 7, "URL": 31, "domain": 224, "hostname": 13, "FileHash-SHA1": 7, "Mutex": 1, "IPv4": 207, "CVE": 8 }, "indicator_count": 512, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69d653b6e87c5b1f56db3158", "name": "InstallMonstr | Emotet affecting HCA | PHI | PII | Technologies [ScoreBlue]", "description": "", "modified": "2026-05-08T13:13:03.281000", "created": "2026-04-08T13:10:14.081000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66c1d668b2adcc909d7608bf", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3660, "FileHash-SHA1": 2288, "FileHash-SHA256": 4720, "CVE": 8, "URL": 896, "domain": 338, "hostname": 839 }, "indicator_count": 12749, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69eae3465a9cbe437bca96df", "name": "[The infectors and The infected - string.dmp] credit: DorkingBeauty1 Cloned", "description": "", "modified": "2026-04-24T03:28:06.951000", "created": "2026-04-24T03:28:06.951000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "628d95bd59109416c444c985", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69a5a23f7ed9467ba24703ad", "name": "pdfkit.net pulses", "description": "", "modified": "2026-04-01T16:07:49.059000", "created": "2026-03-02T14:44:15.293000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 767, "domain": 1595, "FileHash-MD5": 148, "FileHash-SHA1": 109, "hostname": 299, "URL": 289, "email": 2, "CVE": 2 }, "indicator_count": 3211, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69af91f59481faae91f77234", "name": "clone scoreblue", "description": "", "modified": "2026-03-10T03:37:25.881000", "created": "2026-03-10T03:37:25.881000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66c1d668b2adcc909d7608bf", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3654, "FileHash-SHA1": 2282, "FileHash-SHA256": 4712, "CVE": 7, "URL": 886, "domain": 333, "hostname": 831 }, "indicator_count": 12705, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69754a5dd138f73f5cfdf78c", "name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits", "description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt", "modified": "2026-02-23T19:02:00.548000", "created": "2026-01-24T22:40:29.680000", "tags": [ "regsetvalueexa", "default", "regdword", "regbinary", "module download", "tls handshake", "high", "regsetvalueexw", "malware", "write", "win32", "ids detections", "download tls", "eternalrocks", "nsa exploits", "worm", "cryptojackers", "shadow brokers", "ransom", "ingress tool", "channel", "udp a83f8110", "get http", "get https", "dns resolutions", "root path", "encrypted", "native", "required.exe", "stolen toolset", "cyber weapons", "cyber warfare", "autonomous", "tor", "dark web", "black paper", "nsa weapons", "2017", "tao?", "targeting", "breach", "equation group tools", "installer", "stealer", "apt", "empty", "not an exit node", "empty file", "tor relay router", "traffic groups", "traffic group 815", "el tor", "tor relay", "traffic group 778", "traffic group 238", "traffic group 333", "traffic group 333", "node", "traffic group 252", "open_source_tool", "confuserex", "susp_net_name_confuserex", "eternalrocks", "svchost", "eternalrocks_svchost_fr", "obfuscated", "susp_confuserex_obfuscated", "encryption", "module", "msil", "net", "bing", "android", "libre", "mcsf", "microsoft", "active attack", "financial crimes", "EternalBlue", "EternalChampion", "EternalRocks", "Stealth", "EternalSynergy", "EternalRomance", "checks-network-adapters", "checks-user-input", "crypto", "detect-deb", "environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules" ], "references": [ "EternalRocks MALWARE RANSOM TROJAN EVADER", "The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded", "With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.", "Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual", "Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A", "IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure", "Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,", "Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i", "NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,", "EternalRomance, and EternalSynergy. Stealth", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches", "Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)", "Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp", "Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches", "Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich", "Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems", "Matches rule Windows Processes Suspicious Parent Directory by vburov", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules", "Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt", "Matches rule MALWARE-CNC DNS Fast Flux attempt", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815", "Matches rule ET POLICY TLS possible TOR SSL traffic", "Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex", "Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware", "Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)", "Matches rule POLICY-OTHER TOR Project domain request", "Dynamic sandbox CZAE flags this file as: STEALER", "https://github.com/stamparm/EternalRocks", "(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,", "ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.", "REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR", "DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe", "TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Matches rule Suspicious History File Operat Mikhail Larin, oscd.community", "Matches rule SURICATA STREAM Packet with invalid timestamp" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "CVE-2017-0148", "display_name": "CVE-2017-0148", "target": null }, { "id": "Exploit:PowerShell/CVE-2017-0143", "display_name": "Exploit:PowerShell/CVE-2017-0143", "target": "/malware/Exploit:PowerShell/CVE-2017-0143" }, { "id": "trojan.eternalrocks/shadowbrokers", "display_name": "trojan.eternalrocks/shadowbrokers", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [ "Finance", "Government", "Insurance", "Civilians", "Health" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 76, "FileHash-SHA256": 700, "URL": 280, "domain": 46, "hostname": 233, "CVE": 2 }, "indicator_count": 1419, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cf2c43f6493c55c8d08bf9", "name": "Executed \u2022 Installend RMS Module | .exe RMS.exe", "description": "Recap: Executed in Denver, Co.USA. Attacked a Newly purchased iPhone. Multi person attempt . Attacker executed via watch. . Related to Trump campaign Palantir text linked in references. \n\nCyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.\nCreation Date\n2023-05-01 00:28:45\nLast Modification Date\n2025-09-13 22:34:36\n- by CarlosCabal (VirusTotal)\n\nInteresting. Being used in America.", "modified": "2025-10-20T21:03:08.498000", "created": "2025-09-20T22:35:47.459000", "tags": [ "lowfi", "tektonit yara", "pulses otx", "pexe", "pe32", "intel", "vendor finding", "ms defender", "number", "install", "installend", "igor", "pavlov", "remote access tool", "dynamicloader", "medium", "dynamic", "ip address", "domain", "file name", "reads", "windows", "checks", "pehash external", "rms", "rms module", "private build", "watch", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "search", "united", "read c", "write", "persistence", "execution", "malware", "push", "copy", "next", "autorun", "unknown", "skykit", "companyname", "insta", "dod", "udp a83f8110", "encoding", "e1203 windows", "file attributes", "catalog tree", "analysis ob0001", "analysis ob0002", "f0002 polling", "control ob0004", "access ob0005", "defense evasion", "extraction", "data upload", "failed", "related tru", "unit data", "included review", "iocs", "suggestedloes", "find su", "type o", "extr", "references try", "cat antivirus", "com tektonit", "original f", "match info", "adversaries", "match unknown", "30000s", "info", "info checks", "taskjob t1053", "execution flow", "t1574 dll", "window", "tulach", "yara", "hallrender", "apple", "ios", "114.114.114.114", "targeted", "monitoring", "brian sabey & co", "tsara brashears target", "angry quasi", "pp mafia", "dangerous", "redrum", "nemtih" ], "references": [ "Try LogMeIn Resolve For Free \u2014 Powerful tools for device management and remote software installs from LogMeInResolve.", "Installed on Tsara Brashears phone in a drive up incident in October 2024", "Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov", "Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4.", "EXE:CompanyName \u2022 TektonIT EXE:EntryPoint:0x121cf \u2022 EXE:FileDescription RMS Component", "TektonIT RMS Component \u2022 6.0 Internal Name \u2022 LegalCopyright\u00a9 2014 TektonIT.", "Original Filename: RMS Module PrivateBuild \u2022 ProductName \u2022 RMS ProductVersion 6.0", "Worn as Watch \u2022 Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon", "Non white or African American , black haired Middle Eastern 55+ male in non discreet Car", "Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left", "parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates", "Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver", "Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?", "He watched a \u2018target\u2019 while buying least expensive product available. Shirt with US Flag distraction", "Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car.", "Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags", "Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****", "Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc", "Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities", "Alerts: antivm_checks_available_memory queries_keyboard_layout", "Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter", "Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer", "Alerts: network_cnc_http network_http creates_exe uses_windows_utilities", "Alerts: allocates_rwx antisandbox_foregroundwindows", "Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63", "6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty", "6.0.0.0 United States AS749 DOD network information center \u2022 Historical telemetry", "Don\u2019t ask questions. Just terrorize. destroy equipment paid for by US citizens. What\u2019s yours is theirs.", "IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection", "IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply", "IDS: PUA-OTHER RMS rmansys remote management tool cnc communication", "IDS: Unique rule identifier: This rule belongs to a private collection", "Signa: Matches rule Msiexec Quiet Installation by frack113", "Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team", "Capabilities: Collection Get geographical location \u2022 Log keystrokes via polling", "Capabilities: Anti-Analysis Self delete \u2022 Inspect load icon resource", "Capabilities: Targeting Identify system language via API", "Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32", "Capabilities: Persistence Create shortcut via IShellLink Communication \u2022 Write and execute a file", "Malware packed. Haven\u2019t sorted all.", "Continued stalking \u2022 I am of course also being targeted w/ attempts requiring surgery.", "Very dangerous. Has been going on for 12+ years affecting everyone who knew target.", "Machiavellians have already built a new world with a world. Some fear the Apocalypse they created.", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f", "The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous", "I\u2019d like to make an appeal. Please stop. Your original target has gone away." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:HSTR:MonitoringTool:TektonIt", "display_name": "#Lowfi:HSTR:MonitoringTool:TektonIt", "target": null }, { "id": "Win.Trojan.Remoteadmin-151", "display_name": "Win.Trojan.Remoteadmin-151", "target": null }, { "id": "Win.Trojan.Rfusclient", "display_name": "Win.Trojan.Rfusclient", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "TrojanDownloader:HTML/Adodb.gen!A", "display_name": "TrojanDownloader:HTML/Adodb.gen!A", "target": "/malware/TrojanDownloader:HTML/Adodb.gen!A" } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 479, "FileHash-SHA1": 436, "FileHash-SHA256": 2102, "URL": 659, "domain": 162, "hostname": 305, "SSLCertFingerprint": 1, "email": 6 }, "indicator_count": 4150, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6841039ff61dea1fcdcc53c1", "name": "Malicious WiFi Internet network | trojan.morstar/bundler", "description": "WiFi / Internet provider \nConcerning- targeting?\nhttp://www.dead-speak.com/PsychicMediums.htm | \nhttp://www.dead-speak.com/PsychicMediums.html |\nwww.dead-speak.com || https://pin.it/ | \nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian |\npin.it |", "modified": "2025-07-05T02:01:54.546000", "created": "2025-06-05T02:40:31.779000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "ms visual", "get http", "post http", "dns resolutions", "resolved ips", "symantec time", "stamping", "from", "algorithm", "thumbprint", "thumbprint md5", "signer", "g2 issuer", "ca valid", "serial number", "time stamping", "g4 issuer", "g2 valid", "usage ff", "code signing", "issuer certum", "certum code", "signing ca", "trusted network", "e5 e5", "d4 portable", "sha256", "overlay", "defense evasion", "access ta0006", "command", "control ta0011", "catalog tree", "anti", "ob0001", "analysis ob0002", "control ob0004", "ob0007 impact", "ob0012 file", "system oc0001", "memory oc0002", "data oc0004" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 156, "FileHash-SHA1": 139, "FileHash-SHA256": 3313, "URL": 1223, "domain": 186, "hostname": 313 }, "indicator_count": 5332, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6774a3ec9b253daddfc902a3", "name": "Sample_5adcc978b45f6a54af936c48.exe MD5 1f37eebe61bc9252bd72e643f4223896", "description": "Names\n1f37eebe61bc9252bd72e643f4223896\nSample_5adcc978b45f6a54af936c48.exe\nAutoTRON.exe\nc28961e7a22e2d5c5bce189214974a91faa11275\n17abbc9e2cd58563aba1d2f3ceb539eced16ec950ddcc3f8e068f9d0c5441096._exe", "modified": "2025-01-31T02:00:02.600000", "created": "2025-01-01T02:09:48.512000", "tags": [ "sha256", "pejzasz", "wersja pliku", "v2 dokument", "tekst ascii", "z terminatorami", "crlf", "tekst w", "ascii", "zgodny z", "user", "settings", "autoit", "sangfor zsand", "tencent habo", "zenbox", "rules not", "c2 server", "memory pattern", "analysis date", "malware", "stealer", "ransom", "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 75, "FileHash-SHA1": 2, "FileHash-SHA256": 144, "URL": 260, "domain": 51, "hostname": 110 }, "indicator_count": 642, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "671fd3b07ffb71116f2db7fa", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:56.355000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "671fd3afa974b93284d6bac1", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:55.712000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "66c1d668b2adcc909d7608bf", "name": "InstallMonstr | Emotet affecting HCA | PHI | PII | Technologies", "description": "Neurosurgeon performed surgery on assault victim. Deemed potentially, intentionally failed by peers; Neuro terminated follow up care as patients health declined. Physicians & PT negligence, victim is medically blacklisted in Colorado. Fraud & dangerous practices have been nearly lethal. Records destroyed , refused diagnoses , silencing Issues began w/ SA while covered under Colorado workers compensation. Systemic abuse fraud, fear tactics against a1 targets puts many at risk. Denver a sanctuary city where Illegal immigrants & prisoners receive better healthcare with guards outside their doors. Colorado is corrupt, dirty dangerous and overpriced. Where's the ocean?", "modified": "2024-09-17T08:03:51.037000", "created": "2024-08-18T11:09:28.135000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 108, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3654, "FileHash-SHA1": 2282, "FileHash-SHA256": 4712, "CVE": 7, "URL": 886, "domain": 333, "hostname": 831 }, "indicator_count": 12705, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "628d95bd59109416c444c985", "name": "The infectors and The infected - string.dmp", "description": "", "modified": "2022-06-24T00:01:00.706000", "created": "2022-05-25T02:34:37.956000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1436 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "628da8dfd41d60c109a74734", "name": "#039;472.dmp.strings' Hybrid upload of string dmp", "description": "", "modified": "2022-06-24T00:01:00.706000", "created": "2022-05-25T03:56:15.238000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "windir", "runtime data", "path", "unicode", "programfiles", "indicator", "size", "runtime process", "suspicious", "install", "comspec", "model", "hybrid", "close", "click", "factory", "strings", "malicious", "team", "february", "CVE-2021-22941" ], "references": [ "https://hybrid-analysis.com/sample/74f067fe1ef9353884203c2d771590138d74cc382b508f06b175ba6fee1821b0/628d8d9075929273a838c477" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 21, "URL": 1, "CVE": 1, "FileHash-MD5": 20, "FileHash-SHA1": 19 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1436 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "references": [ "Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Malware packed. Haven\u2019t sorted all.", "Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware", "Matches rule Suspicious History File Operat Mikhail Larin, oscd.community", "cups-files.conf", "ldap.conf", "cosine.schema", "httpd-mpm.conf", "profile", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815", "collective.schema", "main.cf.proto", "Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****", "472.dmp.strings", "Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov", "com.apple.screensharing.agent.launchd", "ntp.conf", "dyngroup.ldif", "rtadvd.conf", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "main.cf", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "bashrc_Apple_Terminal", "apple_auxillary.schema", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "cupsd.conf.default", "Capabilities: Persistence Create shortcut via IShellLink Communication \u2022 Write and execute a file", "Try LogMeIn Resolve For Free \u2014 Powerful tools for device management and remote software installs from LogMeInResolve.", "notify.conf", "fmserver.schema", "master.cf.proto", "6.0.0.0 United States AS749 DOD network information center \u2022 Historical telemetry", "AppleOpenLDAP.plist", "https://github.com/stamparm/EternalRocks", "ppolicy.ldif", "roblox-hack-tool-jailbreak_GM431946152.pdf", "core.schema", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "asl.conf", "com.apple.slapconfig.conf", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "audit_event", "EternalRocks MALWARE RANSOM TROJAN EVADER", "Matches rule Windows Processes Suspicious Parent Directory by vburov", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems", "httpd-default.conf", "com.apple.mkb", "auto_master", "com.apple.coreduetd", "krb5-kdc.schema", "Matches rule MALWARE-CNC DNS Fast Flux attempt", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Capabilities: Targeting Identify system language via API", "Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver", "rmtab", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "snmp.conf.default", "gettytab", "nfs.conf", "mime.types", "IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Very dangerous. Has been going on for 12+ years affecting everyone who knew target.", "wifi.conf", "access", "Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "httpd-multilang-errordoc.conf", "find.codes", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "com.apple.mail", "header_checks", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad", "csh.cshrc", "Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)", "The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "collective.ldif", "com.apple.MessageTracer", "Tulach: 114.114.114.114", "Alerts: network_cnc_http network_http creates_exe uses_windows_utilities", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "hannahseenan.pornsextape.com", "proxy-html.conf", "custom_header_checks", "misc.schema", "pmi.ldif", "EXE:CompanyName \u2022 TektonIT EXE:EntryPoint:0x121cf \u2022 EXE:FileDescription RMS Component", "Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63", "afpovertcp.cfg", "com.apple.eventmonitor", "httpd-ssl.conf", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f", "Matches rule ET POLICY TLS possible TOR SSL traffic", "misc.ldif", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "bounce.cf.default", "mail.rc", "(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,", "Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed", "Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc", "corba.schema", "README", "relocated", "php7.conf", "Machiavellians have already built a new world with a world. Some fear the Apocalypse they created.", "cosine.ldif", "virtual", "postfix-files", "cupsd.conf", "DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe", "http://pornhub.com/gay/video/search", "EternalRomance, and EternalSynergy. Stealth", "newsyslog.conf", "httpd.conf", "com.apple.slapd.conf", "Matches rule User with Privileges Logon by frack113", "Matches rule POLICY-OTHER TOR Project domain request", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159", "Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i", "magic", "core.ldif", "java.schema", "com.apple.install", "protocols", "Original Filename: RMS Module PrivateBuild \u2022 ProductName \u2022 RMS ProductVersion 6.0", "java.ldif", "netinfo.schema", "api.login.live.com", "rc.netboot", "audit_warn", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "http://connectivitycheck.gstatic.com/generate_204", "irbrc", "racoon.conf", "pmi.schema", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Continued stalking \u2022 I am of course also being targeted w/ attempts requiring surgery.", "openldap.ldif", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "microsoft.schema", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "samba.schema", "ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "manpaths", "main.cf.default", "microsoft.std.schema", "locate.rc", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Alerts: antivm_checks_available_memory queries_keyboard_layout", "nis.schema", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,", "I\u2019d like to make an appeal. Please stop. Your original target has gone away.", "com.apple.xscertd.conf", "httpd-manual.conf", "com.apple.mkb.internal", "audit_control", "dyngroup.schema", "IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "hosts.equiv", "generic", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e", "Capabilities: Collection Get geographical location \u2022 Log keystrokes via polling", "corba.ldif", "com.apple.login.guest", "com.apple.authd", "canonical", "auto_home", "honey.exe", "com.apple.cdscheduler", "ntp_opendirectory.conf", "Capabilities: Anti-Analysis Self delete \u2022 Inspect load icon resource", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "com.apple.contacts.ContactsAutocomplete", "Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)", "cups-files.conf.default", "com.apple.networking.boringssl", "ftpusers", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "hosts", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?", "Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt", "files.conf", "httpd-vhosts.conf", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "IDS: PUA-OTHER RMS rmansys remote management tool cnc communication", "audit_class", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "Don\u2019t ask questions. Just terrorize. destroy equipment paid for by US citizens. What\u2019s yours is theirs.", "httpd-languages.conf", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches", "httpd-info.conf", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "Non white or African American , black haired Middle Eastern 55+ male in non discreet Car", "networks", "Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,", "6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded", "dragonforce.io", "man.conf", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "apple.schema", "bashrc", "IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure", "https://darkconsultants.com/brent-kimball", "csh.logout", "rc.common", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR", "https://hybrid-analysis.com/sample/74f067fe1ef9353884203c2d771590138d74cc382b508f06b175ba6fee1821b0/628d8d9075929273a838c477", "autofs.conf", "csh.login", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches", "cupsd.conf.O", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "TektonIT RMS Component \u2022 6.0 Internal Name \u2022 LegalCopyright\u00a9 2014 TektonIT.", "kern_loader.conf", "LICENSE", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp", "duaconf.ldif", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left", "Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter", "Signa: Matches rule Msiexec Quiet Installation by frack113", "Worn as Watch \u2022 Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon", "Alerts: allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "aliases", "master.cf.default", "Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "ppolicy.schema", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "ldap.conf.default", "REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "CS Sigma Rules: Python Initiated Connection by frack113", "Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team", "nis.ldif", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities", "IDS: Unique rule identifier: This rule belongs to a private collection", "com.apple.iokit.power", "inetorgperson.schema", "Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags", "Matches rule SURICATA STREAM Packet with invalid timestamp", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules", "com.apple.performance", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238", "httpd-userdir.conf", "inetorgperson.ldif", "mpm.conf", "snmp.conf", "Installed on Tsara Brashears phone in a drive up incident in October 2024", "Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual", "Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car.", "httpd-autoindex.conf", "openldap.schema", "TLS_LICENSE", "group", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333", "He watched a \u2018target\u2019 while buying least expensive product available. Shirt with US Flag distraction", "master.cf", "Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net", "makedefs.out", "transport", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4.", "Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex", "Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "rpc", "httpd-dav.conf", "IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection", "With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778", "parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates", "Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)", "Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32", "http://appleid.icloud.com-website33.org/", "duaconf.schema", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "Dynamic sandbox CZAE flags this file as: STEALER" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "State of Colorado" ], "malware_families": [ "Allowoverride", "Exploit:powershell/cve-2017-0143", "#lowfi:hstr:monitoringtool:tektonit", "Tofsee", "Alf:heraklezeval:backdoor:linux/mirai", "Trojandownloader:html/adodb.gen!a", "Phishing.phishinggame", "Alf:heraklezeval:backdoor:linux/tsunami", "Trojan:win32/emotet!mtb", "9002 rat", "Trojandownloader:win32/bridge", "Alf:heraklezeval:pua:win32/installmonstr", "Backdoor:win32/simda.gen!b", "Ultra vnc", "Virus.win32.virut.q", "Tulach", "Pegasus for android - s0316", "Maltiverse", "Eternalrocks", "Cve-2017-0148", "Trojan.click1.19227", "Hacktool", "Backdoor:win32/espion", "Win.trojan.remoteadmin-151", "Directoryindex", "Virus:dos/psmpc_386", "W32.sality.pe", "Emotet", "Alf:heraklezeval:backdoorlinux/mirai", "Trojanspy", "Tulach malware", "Relic", "Tel:trojanspy:win32/kedirat", "Pegasus for ios - s0289", "Alf:hstr:trojanspy:msil/keylogger", "Trojanspy:ios/xcodeghost", "Pegasus - mob-s0005", "Win.trojan.rfusclient", "Trojan.eternalrocks/shadowbrokers", "Virtool", "Trojandropper:win32", "Malaysia, truly asia", "Virus:dos/cyberwar_5300", "Trojan.scar.lzt" ], "industries": [ "Insurance", "Ngo", "Civilian society", "Health", "Government", "Healthcare", "Civilians", "Media", "Energy", "Hospitality", "Semiconductor", "Technology", "Telecommunications", "Human subjects", "Lgbtq+ activists", "Finance" ] } } }, "false_positive": [], "validation": [], "asn": "AS3215 orange s.a.", "city_data": true, "city": "Dunkirk", "region": "HDF", "continent_code": "EU", "country_code3": "FRA", "country_code2": "FR", "subdivision": "59", "latitude": 51.0336, "postal_code": "59240", "longitude": 2.3743, "accuracy_radius": 50, "country_code": "FR", "country_name": "France", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/fr.png", "flag_title": "France", "sections": [ "general", "geo", "reputation", "url_list", "passive_dns", "malware", "nids_list", "http_scans" ] }, "geo": { "asn": "AS3215 orange s.a.", "city_data": true, "city": "Dunkirk", "region": "HDF", "continent_code": "EU", "country_code3": "FRA", "country_code2": "FR", "subdivision": "59", "latitude": 51.0336, "postal_code": "59240", "longitude": 2.3743, "accuracy_radius": 50, "country_code": "FR", "country_name": "France", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/fr.png", "flag_title": "France" }, "geo_ipapicom": { "country": "France", "country_code": "FR", "region": "\u00cele-de-France", "city": "Paris", "zip": "75000", "latitude": 48.8575, "longitude": 2.35138, "timezone": "Europe/Paris", "isp": "France Telecom Orange", "org": "", "asn": "AS3215 Orange S.A.", "asn_name": "AS3215", "is_proxy": false, "is_hosting": false, "source": "ip-api.com" }, "pulse_count": 17, "pulses": [ { "id": "6a03fda1f49694a8a727a708", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:30.475000", "created": "2026-05-13T04:27:13.098000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 72, "FileHash-SHA256": 142, "URL": 217, "domain": 283, "hostname": 468, "FileHash-SHA1": 38, "Mutex": 1, "IPv4": 310, "CVE": 8, "IPv6": 4, "email": 2 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda242b90bf795becbec", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:02.327000", "created": "2026-05-13T04:27:14.063000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA256": 125, "URL": 137, "domain": 434, "hostname": 200, "FileHash-SHA1": 23, "Mutex": 1, "IPv4": 235, "CVE": 9, "email": 4, "IPv6": 3 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda0034d0da956e10d35", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-13T07:11:11.647000", "created": "2026-05-13T04:27:12.240000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA256": 7, "URL": 31, "domain": 224, "hostname": 13, "FileHash-SHA1": 7, "Mutex": 1, "IPv4": 207, "CVE": 8 }, "indicator_count": 512, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69d653b6e87c5b1f56db3158", "name": "InstallMonstr | Emotet affecting HCA | PHI | PII | Technologies [ScoreBlue]", "description": "", "modified": "2026-05-08T13:13:03.281000", "created": "2026-04-08T13:10:14.081000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66c1d668b2adcc909d7608bf", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3660, "FileHash-SHA1": 2288, "FileHash-SHA256": 4720, "CVE": 8, "URL": 896, "domain": 338, "hostname": 839 }, "indicator_count": 12749, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69eae3465a9cbe437bca96df", "name": "[The infectors and The infected - string.dmp] credit: DorkingBeauty1 Cloned", "description": "", "modified": "2026-04-24T03:28:06.951000", "created": "2026-04-24T03:28:06.951000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "628d95bd59109416c444c985", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69a5a23f7ed9467ba24703ad", "name": "pdfkit.net pulses", "description": "", "modified": "2026-04-01T16:07:49.059000", "created": "2026-03-02T14:44:15.293000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 767, "domain": 1595, "FileHash-MD5": 148, "FileHash-SHA1": 109, "hostname": 299, "URL": 289, "email": 2, "CVE": 2 }, "indicator_count": 3211, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69af91f59481faae91f77234", "name": "clone scoreblue", "description": "", "modified": "2026-03-10T03:37:25.881000", "created": "2026-03-10T03:37:25.881000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66c1d668b2adcc909d7608bf", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3654, "FileHash-SHA1": 2282, "FileHash-SHA256": 4712, "CVE": 7, "URL": 886, "domain": 333, "hostname": 831 }, "indicator_count": 12705, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69754a5dd138f73f5cfdf78c", "name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits", "description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt", "modified": "2026-02-23T19:02:00.548000", "created": "2026-01-24T22:40:29.680000", "tags": [ "regsetvalueexa", "default", "regdword", "regbinary", "module download", "tls handshake", "high", "regsetvalueexw", "malware", "write", "win32", "ids detections", "download tls", "eternalrocks", "nsa exploits", "worm", "cryptojackers", "shadow brokers", "ransom", "ingress tool", "channel", "udp a83f8110", "get http", "get https", "dns resolutions", "root path", "encrypted", "native", "required.exe", "stolen toolset", "cyber weapons", "cyber warfare", "autonomous", "tor", "dark web", "black paper", "nsa weapons", "2017", "tao?", "targeting", "breach", "equation group tools", "installer", "stealer", "apt", "empty", "not an exit node", "empty file", "tor relay router", "traffic groups", "traffic group 815", "el tor", "tor relay", "traffic group 778", "traffic group 238", "traffic group 333", "traffic group 333", "node", "traffic group 252", "open_source_tool", "confuserex", "susp_net_name_confuserex", "eternalrocks", "svchost", "eternalrocks_svchost_fr", "obfuscated", "susp_confuserex_obfuscated", "encryption", "module", "msil", "net", "bing", "android", "libre", "mcsf", "microsoft", "active attack", "financial crimes", "EternalBlue", "EternalChampion", "EternalRocks", "Stealth", "EternalSynergy", "EternalRomance", "checks-network-adapters", "checks-user-input", "crypto", "detect-deb", "environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules" ], "references": [ "EternalRocks MALWARE RANSOM TROJAN EVADER", "The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded", "With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.", "Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual", "Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A", "IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure", "Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,", "Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i", "NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,", "EternalRomance, and EternalSynergy. Stealth", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches", "Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)", "Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp", "Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches", "Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich", "Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems", "Matches rule Windows Processes Suspicious Parent Directory by vburov", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules", "Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt", "Matches rule MALWARE-CNC DNS Fast Flux attempt", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815", "Matches rule ET POLICY TLS possible TOR SSL traffic", "Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex", "Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware", "Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)", "Matches rule POLICY-OTHER TOR Project domain request", "Dynamic sandbox CZAE flags this file as: STEALER", "https://github.com/stamparm/EternalRocks", "(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,", "ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.", "REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR", "DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe", "TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Matches rule Suspicious History File Operat Mikhail Larin, oscd.community", "Matches rule SURICATA STREAM Packet with invalid timestamp" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "CVE-2017-0148", "display_name": "CVE-2017-0148", "target": null }, { "id": "Exploit:PowerShell/CVE-2017-0143", "display_name": "Exploit:PowerShell/CVE-2017-0143", "target": "/malware/Exploit:PowerShell/CVE-2017-0143" }, { "id": "trojan.eternalrocks/shadowbrokers", "display_name": "trojan.eternalrocks/shadowbrokers", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [ "Finance", "Government", "Insurance", "Civilians", "Health" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 76, "FileHash-SHA256": 700, "URL": 280, "domain": 46, "hostname": 233, "CVE": 2 }, "indicator_count": 1419, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cf2c43f6493c55c8d08bf9", "name": "Executed \u2022 Installend RMS Module | .exe RMS.exe", "description": "Recap: Executed in Denver, Co.USA. Attacked a Newly purchased iPhone. Multi person attempt . Attacker executed via watch. . Related to Trump campaign Palantir text linked in references. \n\nCyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.\nCreation Date\n2023-05-01 00:28:45\nLast Modification Date\n2025-09-13 22:34:36\n- by CarlosCabal (VirusTotal)\n\nInteresting. Being used in America.", "modified": "2025-10-20T21:03:08.498000", "created": "2025-09-20T22:35:47.459000", "tags": [ "lowfi", "tektonit yara", "pulses otx", "pexe", "pe32", "intel", "vendor finding", "ms defender", "number", "install", "installend", "igor", "pavlov", "remote access tool", "dynamicloader", "medium", "dynamic", "ip address", "domain", "file name", "reads", "windows", "checks", "pehash external", "rms", "rms module", "private build", "watch", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "search", "united", "read c", "write", "persistence", "execution", "malware", "push", "copy", "next", "autorun", "unknown", "skykit", "companyname", "insta", "dod", "udp a83f8110", "encoding", "e1203 windows", "file attributes", "catalog tree", "analysis ob0001", "analysis ob0002", "f0002 polling", "control ob0004", "access ob0005", "defense evasion", "extraction", "data upload", "failed", "related tru", "unit data", "included review", "iocs", "suggestedloes", "find su", "type o", "extr", "references try", "cat antivirus", "com tektonit", "original f", "match info", "adversaries", "match unknown", "30000s", "info", "info checks", "taskjob t1053", "execution flow", "t1574 dll", "window", "tulach", "yara", "hallrender", "apple", "ios", "114.114.114.114", "targeted", "monitoring", "brian sabey & co", "tsara brashears target", "angry quasi", "pp mafia", "dangerous", "redrum", "nemtih" ], "references": [ "Try LogMeIn Resolve For Free \u2014 Powerful tools for device management and remote software installs from LogMeInResolve.", "Installed on Tsara Brashears phone in a drive up incident in October 2024", "Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov", "Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4.", "EXE:CompanyName \u2022 TektonIT EXE:EntryPoint:0x121cf \u2022 EXE:FileDescription RMS Component", "TektonIT RMS Component \u2022 6.0 Internal Name \u2022 LegalCopyright\u00a9 2014 TektonIT.", "Original Filename: RMS Module PrivateBuild \u2022 ProductName \u2022 RMS ProductVersion 6.0", "Worn as Watch \u2022 Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon", "Non white or African American , black haired Middle Eastern 55+ male in non discreet Car", "Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left", "parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates", "Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver", "Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?", "He watched a \u2018target\u2019 while buying least expensive product available. Shirt with US Flag distraction", "Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car.", "Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags", "Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****", "Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc", "Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities", "Alerts: antivm_checks_available_memory queries_keyboard_layout", "Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter", "Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer", "Alerts: network_cnc_http network_http creates_exe uses_windows_utilities", "Alerts: allocates_rwx antisandbox_foregroundwindows", "Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63", "6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty", "6.0.0.0 United States AS749 DOD network information center \u2022 Historical telemetry", "Don\u2019t ask questions. Just terrorize. destroy equipment paid for by US citizens. What\u2019s yours is theirs.", "IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection", "IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply", "IDS: PUA-OTHER RMS rmansys remote management tool cnc communication", "IDS: Unique rule identifier: This rule belongs to a private collection", "Signa: Matches rule Msiexec Quiet Installation by frack113", "Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team", "Capabilities: Collection Get geographical location \u2022 Log keystrokes via polling", "Capabilities: Anti-Analysis Self delete \u2022 Inspect load icon resource", "Capabilities: Targeting Identify system language via API", "Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32", "Capabilities: Persistence Create shortcut via IShellLink Communication \u2022 Write and execute a file", "Malware packed. Haven\u2019t sorted all.", "Continued stalking \u2022 I am of course also being targeted w/ attempts requiring surgery.", "Very dangerous. Has been going on for 12+ years affecting everyone who knew target.", "Machiavellians have already built a new world with a world. Some fear the Apocalypse they created.", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f", "The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous", "I\u2019d like to make an appeal. Please stop. Your original target has gone away." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:HSTR:MonitoringTool:TektonIt", "display_name": "#Lowfi:HSTR:MonitoringTool:TektonIt", "target": null }, { "id": "Win.Trojan.Remoteadmin-151", "display_name": "Win.Trojan.Remoteadmin-151", "target": null }, { "id": "Win.Trojan.Rfusclient", "display_name": "Win.Trojan.Rfusclient", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "TrojanDownloader:HTML/Adodb.gen!A", "display_name": "TrojanDownloader:HTML/Adodb.gen!A", "target": "/malware/TrojanDownloader:HTML/Adodb.gen!A" } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 479, "FileHash-SHA1": 436, "FileHash-SHA256": 2102, "URL": 659, "domain": 162, "hostname": 305, "SSLCertFingerprint": 1, "email": 6 }, "indicator_count": 4150, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6841039ff61dea1fcdcc53c1", "name": "Malicious WiFi Internet network | trojan.morstar/bundler", "description": "WiFi / Internet provider \nConcerning- targeting?\nhttp://www.dead-speak.com/PsychicMediums.htm | \nhttp://www.dead-speak.com/PsychicMediums.html |\nwww.dead-speak.com || https://pin.it/ | \nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian |\npin.it |", "modified": "2025-07-05T02:01:54.546000", "created": "2025-06-05T02:40:31.779000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "ms visual", "get http", "post http", "dns resolutions", "resolved ips", "symantec time", "stamping", "from", "algorithm", "thumbprint", "thumbprint md5", "signer", "g2 issuer", "ca valid", "serial number", "time stamping", "g4 issuer", "g2 valid", "usage ff", "code signing", "issuer certum", "certum code", "signing ca", "trusted network", "e5 e5", "d4 portable", "sha256", "overlay", "defense evasion", "access ta0006", "command", "control ta0011", "catalog tree", "anti", "ob0001", "analysis ob0002", "control ob0004", "ob0007 impact", "ob0012 file", "system oc0001", "memory oc0002", "data oc0004" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 156, "FileHash-SHA1": 139, "FileHash-SHA256": 3313, "URL": 1223, "domain": 186, "hostname": 313 }, "indicator_count": 5332, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "2.5.4.27", "type": "IPv4" }, "abuseipdb": { "error": "AbuseIPDB daily limit reached (1,000/day).", "indicator": "2.5.4.27" }, "urlhaus": { "indicator": "2.5.4.27", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780172752.0347826 }