{ "type": "IPv4", "indicator": "2.5.4.3", "general": { "whois": "http://whois.domaintools.com/2.5.4.3", "reputation": 0, "indicator": "2.5.4.3", "type": "IPv4", "type_title": "IPv4", "base_indicator": { "id": 406154857, "indicator": "2.5.4.3", "type": "IPv4", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 38, "pulses": [ { "id": "6a141e8c7ad40a0af45a7a56", "name": "monitored target - credit Q Vashti (clone)", "description": "", "modified": "2026-05-31T05:22:37.048000", "created": "2026-05-25T10:03:56.699000", "tags": [ "indicator", "source", "ck id", "show technique", "mitre att", "ck matrix", "openservice", "sha384", "file", "virtualfree", "path", "getprocaddress", "pattern match", "potential ip", "open", "date", "click", "error", "null", "false", "stream", "enterprise", "body", "crypto", "compiler", "entropy", "refresh", "download", "factory", "bind", "strings", "twitter", "roboto", "contact", "window", "tools", "span", "value", "access type", "file execution", "setval", "userprofile", "debugger", "hybrid", "persistence", "general", "suspicious", "target" ], "references": [ "https://hybrid-analysis.com/sample/12e727ab081000ced2629fef1d40f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "68409862e1722725233acace", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 35, "FileHash-SHA256": 24, "SSLCertFingerprint": 3, "URL": 294, "domain": 318, "hostname": 648, "email": 3 }, "indicator_count": 1379, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6a1b57af6e1986d0628bca12", "name": "SystemBC RAT, Quant Loader, and LogMeIn.com, combined to execute a multi-stage Corporate Styled Network Intrusion", "description": "\"Living off the Land\" Takeover (LogMeIn.com)\u201c\nINCIDENT REPORT: HIGH-VALUE TARGET NETWORK INTRUSION Threat Profile: Human-operated corporate-grade attack chain targeting an isolated device.Vector: Local network exposure (compromised router/neighboring device) or physical media (USB).Attack Chain Stages:Quant Script: Obfuscated entry file bypassing network filters.SystemBC RAT: Creates a silent, persistent SOCKS5/Tor tunnel for attacker commands.LogMeIn Abuse: Attackers use legitimate remote software to control the device undetected.Crowti (CryptoWall): Final ransomware payload to encrypt high-value data.Key Observations: Because the target device lacked direct internet access, adversaries are actively abusing the local network infrastructure or physical proximity to bridge the gap. \n\nI\u2019m open to other opinions regarding this report. I have been unwell and my thinking has been unclear and even off as I focus on getting well.\nThank you.", "modified": "2026-05-30T21:33:35.237000", "created": "2026-05-30T21:33:35.237000", "tags": [ "united", "unknown aaaa", "servers", "certificate", "urls", "logmein", "ipv4", "url analysis", "files", "america flag", "level", "data upload", "extraction", "failed", "enter sc", "extri data", "include review", "stop typ", "domain don", "united states", "america asn", "net20525119201", "amazon data", "net20525119202", "address range", "cidr", "network name", "allocation type", "whois server", "entity adsn1", "handle", "sc data", "netherlands asn", "as204601 zomro", "dns resolutions", "log id", "gmtn", "timestamp", "tls web", "expiresfri", "path", "httponly", "salford", "sectigo limited", "sectigo rsa", "accept", "organization", "false", "authentication", "ocsp", "c179044d", "b89a", "d4n timestamp", "df9b", "post na", "lredmond", "stwa", "cnmicrosoft tls", "g2 rsa", "ca ocsp", "rmm domain", "search", "flashpix", "write", "unknown", "malware", "encrypt", "high", "medium", "write c", "template", "registers", "moved", "record value", "tls sni", "observed rmm", "omicrosoft", "stwashington", "server ca", "extr data", "error", "a50 data", "pattern match", "ascii text", "mitre att", "ck id", "general", "local", "click", "strings", "u extractio", "extrac data", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "signing defense", "discovery att", "code signing", "defense evasion", "t1480.002", "mrasn", "cachecontrol", "connection", "date tue", "gmt etag", "self", "etag w/\"leknjhepnj99sn\"", "name servers", "extre data", "observed dns", "query", "show", "localsm05208304", "localsm03520304", "title error", "all ipv4", "reverse dns", "as14618", "extraction data", "creato touc", "digice rsa", "sh certific", "hid iv", "trojandropper", "backdoor", "present may", "please", "x msedge", "exploit", "as8068", "av detection", "ratio", "ids detections", "content length", "content type", "x powered", "asn as16509", "x vercel", "vercel", "gmt content", "ransom", "dynamicloader", "msie", "windows nt", "wow64", "slcc2", "media center", "sysv", "buildid", "germany as8560", "yara detections", "contacted", "elf", "filehash", "av detections", "alerts", "analysis date", "file score", "low risk", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "elf info", "progbits", "offset size", "flags", "null", "hashes o", "get http", "post http", "entries", "trojan", "pegasus", "apple", "amazonaws", "smtp", "self-delete", "service-scan", "applayer", "madagascar", "qnapcrypt", "mal_elf_systembc_rat", "rat", "hacktool code", "systembc", "t1064", "create", "modify system", "process", "t1543 privile", "ta0004 cr", "t1543", "creation date", "whois show", "emails", "name logmein", "org logmein", "summer st", "date hash", "avast avg", "mtb jul", "k jun", "ai", "ai report", "appleremotesupport", "remotelyanywhere", "pegasus related" ], "references": [ "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "Amazonaws.com \u2022 Amazon.com", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "http://212.33.237.86/images/1/report.php", "http://watchhers.net/index.php", "remoteexecution-runner-api.services.gotoresolve.com", "firebaseremoteconfig.googleapis.com", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "Yara Detections: is__elf", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "Names: testpaging upof6w.exe", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "https://cdn.console.gotoresolve.com/applet", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "to act as their human-controlled, \"living off the land\" command station.", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "by pulling its primary files over public SMB shares.", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "Because LogMeIn is a legitimate remote management tool used by actual IT departments,", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "appleremotesupport.com \u2022 remotelyanywhere.com", "Immediate Recommendations: Disconnect all routers and isolate the network.", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "Change all credentials from a separate, clean network.", "If possible: Move to Switzerland" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "TrojanDownloader:JS/Swabfex.P", "display_name": "TrojanDownloader:JS/Swabfex.P", "target": "/malware/TrojanDownloader:JS/Swabfex.P" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen!K", "display_name": "TrojanDropper:Win32/Cutwail.gen!K", "target": "/malware/TrojanDropper:Win32/Cutwail.gen!K" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win.Trojan.Hupigon-6989556-0", "display_name": "Win.Trojan.Hupigon-6989556-0", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 275, "FileHash-SHA1": 243, "FileHash-SHA256": 1320, "URL": 897, "domain": 796, "email": 7, "hostname": 783, "IPv4": 446, "CIDR": 2, "SSLCertFingerprint": 33 }, "indicator_count": 4802, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "14 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda1f49694a8a727a708", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:30.475000", "created": "2026-05-13T04:27:13.098000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 72, "FileHash-SHA256": 142, "URL": 217, "domain": 283, "hostname": 468, "FileHash-SHA1": 38, "Mutex": 1, "IPv4": 310, "CVE": 8, "IPv6": 4, "email": 2 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda242b90bf795becbec", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:02.327000", "created": "2026-05-13T04:27:14.063000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA256": 125, "URL": 137, "domain": 434, "hostname": 200, "FileHash-SHA1": 23, "Mutex": 1, "IPv4": 235, "CVE": 9, "email": 4, "IPv6": 3 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda0034d0da956e10d35", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-13T07:11:11.647000", "created": "2026-05-13T04:27:12.240000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA256": 7, "URL": 31, "domain": 224, "hostname": 13, "FileHash-SHA1": 7, "Mutex": 1, "IPv4": 207, "CVE": 8 }, "indicator_count": 512, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69d653b6e87c5b1f56db3158", "name": "InstallMonstr | Emotet affecting HCA | PHI | PII | Technologies [ScoreBlue]", "description": "", "modified": "2026-05-08T13:13:03.281000", "created": "2026-04-08T13:10:14.081000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66c1d668b2adcc909d7608bf", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3660, "FileHash-SHA1": 2288, "FileHash-SHA256": 4720, "CVE": 8, "URL": 896, "domain": 338, "hostname": 839 }, "indicator_count": 12749, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69eae3465a9cbe437bca96df", "name": "[The infectors and The infected - string.dmp] credit: DorkingBeauty1 Cloned", "description": "", "modified": "2026-04-24T03:28:06.951000", "created": "2026-04-24T03:28:06.951000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "628d95bd59109416c444c985", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69b51f921f88bd526a24449a", "name": "2.5.4.3 Mirai Communicating File", "description": "blacklist domain security researchers - FR - ride on the US edge node", "modified": "2026-04-13T00:21:24.884000", "created": "2026-03-14T08:42:58.072000", "tags": [ "mirai" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "48 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69b51e9c8e56984753df3780", "name": "Habo Analysis System", "description": "life safety critical meeting distruptor- likely correlated to recent time events. data suggests updating location data with finer prescision and rules - SHA256:\tf13b822a76e800b7591000e93616685cf05f528ff52fcd9a9372e50629fbd734\nFile type:\tEXE\nCopyright:\t\nVersion:\t\nShell or compiler:\tPACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo\nSub-file information:\tDetail\nKey behaviour \n\nBehaviour:\tDirectly call the system key API\nDetail info:\t\nIndex = 0x0000010F, Name: NtWaitForSingleObject, Instruction Address = 0x0044D572\nBehaviour:\tAccess CPU clock directly\nDetail info:\t\nEAX = 0x82ef8d8d, EDX = 0x0000014e\nEAX = 0x85775d16, EDX = 0x0000014e\nEAX = 0x85775d62, EDX = 0x0000014e\nEAX = 0x85775dae, EDX = 0x0000014e", "modified": "2026-04-13T00:21:24.884000", "created": "2026-03-14T08:38:52.308000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "48 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69a5a23f7ed9467ba24703ad", "name": "pdfkit.net pulses", "description": "", "modified": "2026-04-01T16:07:49.059000", "created": "2026-03-02T14:44:15.293000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 767, "domain": 1595, "FileHash-MD5": 148, "FileHash-SHA1": 109, "hostname": 299, "URL": 289, "email": 2, "CVE": 2 }, "indicator_count": 3211, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69af926b7c44b84b26ce3f4e", "name": "formail.exe clone arek-btc", "description": "", "modified": "2026-03-10T21:40:19.215000", "created": "2026-03-10T03:39:23.068000", "tags": [ "sha1", "sha256", "vhash", "authentihash", "ssdeep", "\u90ae\u4ef6", "\u4f01\u4e1a\u5fae\u4fe1\u5e2e\u52a9\u4e2d\u5fc3", "windows nt", "khtml", "gecko", "read c", "ascii text", "msie", "crlf line", "ms windows", "intel", "default", "write", "malware", "copy", "agent", "next", "imphash", "virustotal", "detections", "comments", "detections name", "eeeeee e", "eeeeeee e", "eeeee delphi", "win32" ], "references": [ "http://service.exmail.qq.com/cgi-bin/help?&&id=20022&no=1000728&subtype=1", "http://connectivitycheck.gstatic.com/generate_204" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "681e0afed57810a1e5159708", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 354, "domain": 31, "hostname": 77, "URL": 172, "FileHash-MD5": 135, "FileHash-SHA1": 40, "email": 3 }, "indicator_count": 812, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69af91f59481faae91f77234", "name": "clone scoreblue", "description": "", "modified": "2026-03-10T03:37:25.881000", "created": "2026-03-10T03:37:25.881000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66c1d668b2adcc909d7608bf", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3654, "FileHash-SHA1": 2282, "FileHash-SHA256": 4712, "CVE": 7, "URL": 886, "domain": 333, "hostname": 831 }, "indicator_count": 12705, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "82 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69754a5dd138f73f5cfdf78c", "name": "EternalRocks (SHADOW BROKERS) MicroBotMassiveNet - NSA Exploits", "description": "Exploited | Active | Continuous \n\u201cEternalRocks\u201d (also known as MicroBotMassiveNet) is a sophisticated computer worm discovered in May 2017 that targets Windows machines, utilizing seven different NSA-leaked exploits\u2014far more than the two used by the infamous WannaCry ransomware. Trend Micro and other security researchers highlighted the danger of this malware because, unlike WannaCry, it does not have a \"kill switch\" and is designed to create a backdoor for future, more severe, and adaptable attacks * While initially, it appeared to only act as a downloader for other tools, the danger lay in its potential to be weaponized for launching ransomware, Remote Access Trojans (RATs), or other malware at a later date. \nThank you Winston & Vogt", "modified": "2026-02-23T19:02:00.548000", "created": "2026-01-24T22:40:29.680000", "tags": [ "regsetvalueexa", "default", "regdword", "regbinary", "module download", "tls handshake", "high", "regsetvalueexw", "malware", "write", "win32", "ids detections", "download tls", "eternalrocks", "nsa exploits", "worm", "cryptojackers", "shadow brokers", "ransom", "ingress tool", "channel", "udp a83f8110", "get http", "get https", "dns resolutions", "root path", "encrypted", "native", "required.exe", "stolen toolset", "cyber weapons", "cyber warfare", "autonomous", "tor", "dark web", "black paper", "nsa weapons", "2017", "tao?", "targeting", "breach", "equation group tools", "installer", "stealer", "apt", "empty", "not an exit node", "empty file", "tor relay router", "traffic groups", "traffic group 815", "el tor", "tor relay", "traffic group 778", "traffic group 238", "traffic group 333", "traffic group 333", "node", "traffic group 252", "open_source_tool", "confuserex", "susp_net_name_confuserex", "eternalrocks", "svchost", "eternalrocks_svchost_fr", "obfuscated", "susp_confuserex_obfuscated", "encryption", "module", "msil", "net", "bing", "android", "libre", "mcsf", "microsoft", "active attack", "financial crimes", "EternalBlue", "EternalChampion", "EternalRocks", "Stealth", "EternalSynergy", "EternalRomance", "checks-network-adapters", "checks-user-input", "crypto", "detect-deb", "environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules" ], "references": [ "EternalRocks MALWARE RANSOM TROJAN EVADER", "The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded", "With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.", "Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual", "Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A", "IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure", "Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,", "Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i", "NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,", "EternalRomance, and EternalSynergy. Stealth", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches", "Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)", "Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp", "Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches", "Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich", "Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems", "Matches rule Windows Processes Suspicious Parent Directory by vburov", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules", "Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt", "Matches rule MALWARE-CNC DNS Fast Flux attempt", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815", "Matches rule ET POLICY TLS possible TOR SSL traffic", "Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex", "Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware", "Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)", "Matches rule POLICY-OTHER TOR Project domain request", "Dynamic sandbox CZAE flags this file as: STEALER", "https://github.com/stamparm/EternalRocks", "(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,", "ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.", "REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR", "DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe", "TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Matches rule Suspicious History File Operat Mikhail Larin, oscd.community", "Matches rule SURICATA STREAM Packet with invalid timestamp" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "CVE-2017-0148", "display_name": "CVE-2017-0148", "target": null }, { "id": "Exploit:PowerShell/CVE-2017-0143", "display_name": "Exploit:PowerShell/CVE-2017-0143", "target": "/malware/Exploit:PowerShell/CVE-2017-0143" }, { "id": "trojan.eternalrocks/shadowbrokers", "display_name": "trojan.eternalrocks/shadowbrokers", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [ "Finance", "Government", "Insurance", "Civilians", "Health" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 76, "FileHash-SHA256": 700, "URL": 280, "domain": 46, "hostname": 233, "CVE": 2 }, "indicator_count": 1419, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69589ae12fa3212a68dfd1c7", "name": "C:\\Windows\\system32\\free", "description": "C:\\Windows\\system32\\free", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-03T04:28:17.166000", "tags": [ "sat dec", "hx83xec", "packages", "mon jun", "owner rights", "scanid", "regqueryvalue", "malware file", "mz created", "desc", "look", "dllinject", "service", "null", "defender", "malware", "desktop", "window", "shell", "june" ], "references": [ "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/summary", "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 258, "FileHash-SHA1": 120, "FileHash-SHA256": 118, "URL": 52, "domain": 2, "email": 6, "hostname": 16 }, "indicator_count": 572, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6954ae6971517cdd7beb3d77", "name": "Security Vendors\\Norton", "description": "Security Vendors\\Norton", "modified": "2026-01-30T04:03:08.625000", "created": "2025-12-31T05:02:33.034000", "tags": [ "data", "drive", "no problems", "upload", "mon mar", "scanid", "sigtype1", "sigclass1", "rule matched1", "subscore1", "look", "june", "dllinject", "alphabet", "info", "winmm", "null", "malware", "powershell", "autorun", "jack", "first", "internal", "whirlpool", "updater", "code", "spyeye", "runescape", "warp", "upgrade", "copy", "defender", "date", "xmrigminer", "kevin", "eraser", "ding", "Norton", "Telus" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 59, "URL": 42, "CVE": 2, "FileHash-MD5": 1355, "FileHash-SHA1": 1177, "FileHash-SHA256": 948, "email": 4, "hostname": 37 }, "indicator_count": 3624, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69546fab13abfdf3e825b1e4", "name": "Norton\\08.30.23", "description": "Norton\\08.30.23", "modified": "2026-01-30T00:01:11.705000", "created": "2025-12-31T00:34:51.728000", "tags": [ "data", "drive", "no problems", "upload", "problems1", "progressb", "wed aug", "scanid", "mon mar", "sigtype1", "look", "june", "dllinject", "winmm", "alphabet", "autorun", "powershell", "info", "malware", "first", "jack", "whirlpool", "internal", "surtr", "ursnif", "code", "spyeye", "runescape", "warp", "null", "defender", "copy", "strings", "burn", "dreambot", "gozi", "isfb", "iron", "bitcoin", "steam", "date", "xmrigminer", "kevin", "ding", "Norton", "Telus" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "URL": 37, "CVE": 1, "FileHash-MD5": 1241, "FileHash-SHA1": 879, "FileHash-SHA256": 823, "email": 4, "hostname": 26 }, "indicator_count": 3063, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6919165b137fd8019d5875bb", "name": "Mirai Botnet | Hacker CatGirls Network - | HOMECLOUD.LOL Hacker Group", "description": "#spaceship #mirai #little_endian #elf #linux_backdoor_mirai _shockflash #trackers #hackers #name_chanhe #parking_crews #headspray #flash #shockwave_flash _exploits #other_malware #is _botnet #audiences #lol_hackers #nso #maliciois #spyware #abuse #infringement #hackers_catgirls #meow #succubus _cnc #c2 #moe #neco_cnc", "modified": "2025-12-16T00:06:40.275000", "created": "2025-11-16T00:10:03.491000", "tags": [ "no expiration", "filehashsha256", "expiration", "ipv4", "url https", "hostname", "url http", "filehashmd5", "filehashsha1", "domain", "mirai", "port", "destination", "south korea", "telnet login", "as9318 sk", "bad login", "china as4134", "taiwan as3462", "as3786 lg", "as4766 korea", "malware", "path", "copy", "ta0011 t1105" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "mirai", "display_name": "mirai", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 314, "FileHash-MD5": 348, "FileHash-SHA1": 346, "FileHash-SHA256": 766, "CIDR": 1, "CVE": 1, "domain": 79, "email": 1, "hostname": 212 }, "indicator_count": 2068, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68cf2c43f6493c55c8d08bf9", "name": "Executed \u2022 Installend RMS Module | .exe RMS.exe", "description": "Recap: Executed in Denver, Co.USA. Attacked a Newly purchased iPhone. Multi person attempt . Attacker executed via watch. . Related to Trump campaign Palantir text linked in references. \n\nCyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.\nCreation Date\n2023-05-01 00:28:45\nLast Modification Date\n2025-09-13 22:34:36\n- by CarlosCabal (VirusTotal)\n\nInteresting. Being used in America.", "modified": "2025-10-20T21:03:08.498000", "created": "2025-09-20T22:35:47.459000", "tags": [ "lowfi", "tektonit yara", "pulses otx", "pexe", "pe32", "intel", "vendor finding", "ms defender", "number", "install", "installend", "igor", "pavlov", "remote access tool", "dynamicloader", "medium", "dynamic", "ip address", "domain", "file name", "reads", "windows", "checks", "pehash external", "rms", "rms module", "private build", "watch", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "search", "united", "read c", "write", "persistence", "execution", "malware", "push", "copy", "next", "autorun", "unknown", "skykit", "companyname", "insta", "dod", "udp a83f8110", "encoding", "e1203 windows", "file attributes", "catalog tree", "analysis ob0001", "analysis ob0002", "f0002 polling", "control ob0004", "access ob0005", "defense evasion", "extraction", "data upload", "failed", "related tru", "unit data", "included review", "iocs", "suggestedloes", "find su", "type o", "extr", "references try", "cat antivirus", "com tektonit", "original f", "match info", "adversaries", "match unknown", "30000s", "info", "info checks", "taskjob t1053", "execution flow", "t1574 dll", "window", "tulach", "yara", "hallrender", "apple", "ios", "114.114.114.114", "targeted", "monitoring", "brian sabey & co", "tsara brashears target", "angry quasi", "pp mafia", "dangerous", "redrum", "nemtih" ], "references": [ "Try LogMeIn Resolve For Free \u2014 Powerful tools for device management and remote software installs from LogMeInResolve.", "Installed on Tsara Brashears phone in a drive up incident in October 2024", "Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov", "Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4.", "EXE:CompanyName \u2022 TektonIT EXE:EntryPoint:0x121cf \u2022 EXE:FileDescription RMS Component", "TektonIT RMS Component \u2022 6.0 Internal Name \u2022 LegalCopyright\u00a9 2014 TektonIT.", "Original Filename: RMS Module PrivateBuild \u2022 ProductName \u2022 RMS ProductVersion 6.0", "Worn as Watch \u2022 Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon", "Non white or African American , black haired Middle Eastern 55+ male in non discreet Car", "Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left", "parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates", "Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver", "Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?", "He watched a \u2018target\u2019 while buying least expensive product available. Shirt with US Flag distraction", "Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car.", "Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags", "Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****", "Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc", "Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities", "Alerts: antivm_checks_available_memory queries_keyboard_layout", "Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter", "Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer", "Alerts: network_cnc_http network_http creates_exe uses_windows_utilities", "Alerts: allocates_rwx antisandbox_foregroundwindows", "Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63", "6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty", "6.0.0.0 United States AS749 DOD network information center \u2022 Historical telemetry", "Don\u2019t ask questions. Just terrorize. destroy equipment paid for by US citizens. What\u2019s yours is theirs.", "IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection", "IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply", "IDS: PUA-OTHER RMS rmansys remote management tool cnc communication", "IDS: Unique rule identifier: This rule belongs to a private collection", "Signa: Matches rule Msiexec Quiet Installation by frack113", "Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team", "Capabilities: Collection Get geographical location \u2022 Log keystrokes via polling", "Capabilities: Anti-Analysis Self delete \u2022 Inspect load icon resource", "Capabilities: Targeting Identify system language via API", "Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32", "Capabilities: Persistence Create shortcut via IShellLink Communication \u2022 Write and execute a file", "Malware packed. Haven\u2019t sorted all.", "Continued stalking \u2022 I am of course also being targeted w/ attempts requiring surgery.", "Very dangerous. Has been going on for 12+ years affecting everyone who knew target.", "Machiavellians have already built a new world with a world. Some fear the Apocalypse they created.", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f", "The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous", "I\u2019d like to make an appeal. Please stop. Your original target has gone away." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:HSTR:MonitoringTool:TektonIt", "display_name": "#Lowfi:HSTR:MonitoringTool:TektonIt", "target": null }, { "id": "Win.Trojan.Remoteadmin-151", "display_name": "Win.Trojan.Remoteadmin-151", "target": null }, { "id": "Win.Trojan.Rfusclient", "display_name": "Win.Trojan.Rfusclient", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "TrojanDownloader:HTML/Adodb.gen!A", "display_name": "TrojanDownloader:HTML/Adodb.gen!A", "target": "/malware/TrojanDownloader:HTML/Adodb.gen!A" } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 479, "FileHash-SHA1": 436, "FileHash-SHA256": 2102, "URL": 659, "domain": 162, "hostname": 305, "SSLCertFingerprint": 1, "email": 6 }, "indicator_count": 4150, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "222 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "665c44f012d938d1c7dd591e", "name": "PIT Projekt.exe (www.pitprojekt.pl , pitprojekt.pl) oraz Ceidg.gov.pl - Dane publiczne wpisu", "description": "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4 NIP:6161230754\nhttps://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778 NIP;6112323510\nhttp://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778\n2.16.6.145146f05-9aac-4942-a42d-f2550a19c0c4 NIP:6131434311\nipv4: 2.16.6.14, 2.16.6.6, 2.16.6.1,", "modified": "2025-10-06T11:12:39.639000", "created": "2024-06-02T10:09:52.601000", "tags": [ "ceidg.gov.pl - centralna ewidencja i informacja o dzia\u0142alno\u015bci g", "prosz czeka", "pobierz plik", "wojcieszyce", "urls competing", "ceidg centralna", "gospodarczej", "wyszukiwanie", "przejd", "centrum pomocy", "informacja o", "mapa", "strona gwna", "przegldanie", "ceidg szybki", "uwagi prawne", "deklaracja", "serwer", "returnurl", "idf3ee4c4ee00", "id7a025cc6516", "wctxrm0", "idf3ee4c4", "id35146f059aa", "ideb8f4cf26ef", "id7a025cc", "id35146f0", "publicznywsz3", "id97c275c", "url wiek", "ssdeep", "sha1", "pehasz", "typlibid", "pit projekt", "chcesz", "pity online", "program", "interesuje ci", "pity zapisane", "jeli", "oddajemy w", "twoje rce", "dziki jego" ], "references": [ "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4", "https://aplikacja.ceidg.gov.pl/CEIDG/GroupMenu.aspx?key=_group_search", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=35146f05-9aac-4942-a42d-f2550a19c0c4", "http://www.pitprojekt.pl", "http://pitprojekt.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wojcieszyce", "display_name": "Wojcieszyce", "target": null }, { "id": "Serwer", "display_name": "Serwer", "target": null }, { "id": "Serwer A Przed\u0142u\u017cenie sesji #{text}", "display_name": "Serwer A Przed\u0142u\u017cenie sesji #{text}", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8271, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1259, "URL": 6009, "hostname": 3030, "FileHash-SHA256": 10233, "FileHash-MD5": 2742, "FileHash-SHA1": 2348, "email": 75, "SSLCertFingerprint": 11, "YARA": 2, "CVE": 13, "FileHash-PEHASH": 1, "IPv4": 34, "IPv6": 6 }, "indicator_count": 25763, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "681e0afed57810a1e5159708", "name": "Foxmail.exe", "description": "MD5- 359f80e74649e20bf65ca1607989b55d\nMD5- baa281dc20752fa96021665b2963ba1a\nhttps://www.virustotal.com/gui/file/4d829d9b1096e5e70ad2bd94bc79fb2a47124aad75380154c6ee135298a84559/relations\nhttps://www.virustotal.com/gui/file/b79d5618048a8493fe6001c99cf8f05176828788afe88a562e05afe74947e88f/details", "modified": "2025-10-01T00:01:22.860000", "created": "2025-05-09T14:02:38.820000", "tags": [ "sha1", "sha256", "vhash", "authentihash", "ssdeep", "\u90ae\u4ef6", "\u4f01\u4e1a\u5fae\u4fe1\u5e2e\u52a9\u4e2d\u5fc3", "windows nt", "khtml", "gecko", "read c", "ascii text", "msie", "crlf line", "ms windows", "intel", "default", "write", "malware", "copy", "agent", "next", "imphash", "virustotal", "detections", "comments", "detections name", "eeeeee e", "eeeeeee e", "eeeee delphi", "win32" ], "references": [ "http://service.exmail.qq.com/cgi-bin/help?&&id=20022&no=1000728&subtype=1", "http://connectivitycheck.gstatic.com/generate_204" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 354, "domain": 31, "hostname": 76, "URL": 171, "FileHash-MD5": 135, "FileHash-SHA1": 40, "email": 3 }, "indicator_count": 810, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "688fa1290b459ca0e307fcbd", "name": "http://www.jeffreyrusertjeffersoncounty.net/", "description": "Does this mean a someone who SA\u2019d and critically injured someone was given legal access to also spy on his victim? \nFurther investigation needed. Now ther is a little phone symbol blinking on my device. Weirdness.", "modified": "2025-09-02T10:03:26.815000", "created": "2025-08-03T17:49:29.657000", "tags": [ "status", "creation date", "date", "domain add", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as396982", "whois registrar", "pulses", "related tags", "indicator facts", "historical otx", "pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "mitre att", "ck techniques", "spawns", "falcon sandbox", "hybrid", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "null", "refresh", "body", "span", "august", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "config", "runner", "us seen", "general info", "geo kansas", "city", "missouri", "united", "as396982", "us note", "route", "ptr record", "live", "november", "value emails", "dnssec", "domain name", "llc status", "whois server", "showing", "entries", "olet", "encrypt", "cnr3", "cnr10", "cnr11", "ilike search", "id logged", "common name", "issuer name", "encrypt https", "expired", "key usage", "tls web", "identifier", "search criteria", "timestamp entry", "log operator", "log url", "google https", "poison", "info", "certificate", "linter", "precertificate", "tls server", "subject dn", "ascii", "sha256 hash", "graph", "sectigo https", "ca mechanism", "provider status", "revocation date", "log id", "criteria id", "16566017041", "summary leaf", "15317728412", "15385730680", "sequence", "octet string", "pkcs", "integer", "null bit", "string", "boolean", "pkix key", "pkix", "observed" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "URL": 226, "hostname": 64, "email": 1, "FileHash-SHA256": 143, "FileHash-MD5": 28, "FileHash-SHA1": 35, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6841039ff61dea1fcdcc53c1", "name": "Malicious WiFi Internet network | trojan.morstar/bundler", "description": "WiFi / Internet provider \nConcerning- targeting?\nhttp://www.dead-speak.com/PsychicMediums.htm | \nhttp://www.dead-speak.com/PsychicMediums.html |\nwww.dead-speak.com || https://pin.it/ | \nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian |\npin.it |", "modified": "2025-07-05T02:01:54.546000", "created": "2025-06-05T02:40:31.779000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "ms visual", "get http", "post http", "dns resolutions", "resolved ips", "symantec time", "stamping", "from", "algorithm", "thumbprint", "thumbprint md5", "signer", "g2 issuer", "ca valid", "serial number", "time stamping", "g4 issuer", "g2 valid", "usage ff", "code signing", "issuer certum", "certum code", "signing ca", "trusted network", "e5 e5", "d4 portable", "sha256", "overlay", "defense evasion", "access ta0006", "command", "control ta0011", "catalog tree", "anti", "ob0001", "analysis ob0002", "control ob0004", "ob0007 impact", "ob0012 file", "system oc0001", "memory oc0002", "data oc0004" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 156, "FileHash-SHA1": 139, "FileHash-SHA256": 3313, "URL": 1223, "domain": 186, "hostname": 313 }, "indicator_count": 5332, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "68409862e1722725233acace", "name": "Monitored Target- bounty-50872035906958562", "description": "Monitored Target- bounty-50872035906958562\n(Whitelisted?)\n\u2022 Spyware\nAccesses potentially sensitive information from local browsers |\n\u2022Found a string that may be used as part of an injection method |\n\u2022 Stealer/Phishing\n\u2022 Reads FTP client related files\n\u2022 Persistence\n\u2022 Creates a fake system process\n\u2022 Modifies System Certificates Settings\n\u2022 Modifies auto-execute functionality by setting/creating a value in the registry\n\u2022 Modifies auto-execute functionality to enable the debugger hack\n\u2022 Writes data to a remote process\n\u2022 Writes to the hosts file\n\u2022 Fingerprint\nQueries +", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T19:02:57.999000", "tags": [ "indicator", "source", "ck id", "show technique", "mitre att", "ck matrix", "openservice", "sha384", "file", "virtualfree", "path", "getprocaddress", "pattern match", "potential ip", "open", "date", "click", "error", "null", "false", "stream", "enterprise", "body", "crypto", "compiler", "entropy", "refresh", "download", "factory", "bind", "strings", "twitter", "roboto", "contact", "window", "tools", "span", "value", "access type", "file execution", "setval", "userprofile", "debugger", "hybrid", "persistence", "general", "suspicious", "target" ], "references": [ "https://hybrid-analysis.com/sample/12e727ab081000ced2629fef1d40f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 35, "FileHash-SHA256": 24, "SSLCertFingerprint": 3, "URL": 294, "domain": 317, "hostname": 648, "email": 3 }, "indicator_count": 1378, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6814641001d7553bbd24c9f9", "name": "https://www.hybrid-analysis.com/sample/25ff97e91e1d8e1b36935ead05e8bf92cf64ca6faff4ab9c2fdca5ad4352b0e5/66000b626c42699e7d0e1065", "description": "VirusTotalUploader 0.0.1.2.3.4.5.6.7.8.9.25.. (1:30 GMT) found in the code \"Samuel Tulach\".", "modified": "2025-06-01T00:01:04.400000", "created": "2025-05-02T06:20:00.961000", "tags": [ "potential ip", "x64 cnsamuel", "tulach", "osamuel tulach", "smoravskoslezsk" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-SHA256": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "364 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "67a9f3def74f96146bc342d5", "name": "cobalt_loader_unpacked.exe", "description": "A guide to the Cobaltloader, a 32-bit executable for Windows, has been published by the University of Oxford.. and its website is published on the same day as the release.", "modified": "2025-02-10T12:41:02.752000", "created": "2025-02-10T12:41:02.752000", "tags": [ "sha256", "sha1", "size", "ms windows", "copy ssdeep", "copy imphash", "call", "imagescnmemread", "imagescncntcode", "e5a596d6h", "rsp20h", "e5a595f0h", "e5a595dch", "rsp10h", "rsp18h", "rsp04h", "rsp08h", "rsp0ch", "rax05h", "themida", "thumbprint md5", "serial number", "vs2022", "symantec time", "stamping", "from", "algorithm", "thumbprint", "globalsign root", "submission", "w5k0fa2", "connection", "i64d", "http", "userprofile", "studio", "ldap", "detail", "cdecl sol", "socks5 connect", "ca file", "error", "class", "combo", "delta", "bind", "unknown", "void", "rest", "problem", "procin", "httpports", "ipv4 address", "homenet", "externalnet", "tgi hunt", "curl", "ip address", "et hunting", "dotted quad", "clientendpoint", "perimeter", "hunting", "informational", "policy", "outbound", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "loader", "sality", "dnguard" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA256": 177, "FileHash-SHA1": 7, "YARA": 52, "email": 7, "IPv4": 38, "URL": 154, "domain": 14, "hostname": 58 }, "indicator_count": 530, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "474 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6774a3ec9b253daddfc902a3", "name": "Sample_5adcc978b45f6a54af936c48.exe MD5 1f37eebe61bc9252bd72e643f4223896", "description": "Names\n1f37eebe61bc9252bd72e643f4223896\nSample_5adcc978b45f6a54af936c48.exe\nAutoTRON.exe\nc28961e7a22e2d5c5bce189214974a91faa11275\n17abbc9e2cd58563aba1d2f3ceb539eced16ec950ddcc3f8e068f9d0c5441096._exe", "modified": "2025-01-31T02:00:02.600000", "created": "2025-01-01T02:09:48.512000", "tags": [ "sha256", "pejzasz", "wersja pliku", "v2 dokument", "tekst ascii", "z terminatorami", "crlf", "tekst w", "ascii", "zgodny z", "user", "settings", "autoit", "sangfor zsand", "tencent habo", "zenbox", "rules not", "c2 server", "memory pattern", "analysis date", "malware", "stealer", "ransom", "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 75, "FileHash-SHA1": 2, "FileHash-SHA256": 144, "URL": 260, "domain": 51, "hostname": 110 }, "indicator_count": 642, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "671fd3b07ffb71116f2db7fa", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:56.355000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "671fd3afa974b93284d6bac1", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:55.712000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "664b74b2683dec84891aef96", "name": "PrivateLoader is a malware with a module structure that has the capability is to download and execute one or several payloads", "description": "http://185.172.128.69/batushka/inte.exe \nhttp://185.172.128.69/allnewumm.exe\nhttp://185.172.128.69/brandumma.exe\nhttp://185.172.128.69/files\nhttp://185.172.128.69/files/US.file\nhttp://185.172.128.69/latestumma.exe\nhttp://185.172.128.69/newumma.exe\nhttp://185.172.128.69/sekundumma.exe\nhttp://185.172.128.69/ummanew.exe", "modified": "2024-10-14T20:36:05.361000", "created": "2024-05-20T16:05:06.313000", "tags": [ "stdin via", "nextron", "powershell id", "powershell", "tim rauch", "elastic", "script block", "logging", "pe32", "ms windows", "intel", "nazwa typ", "md5 nazwa", "procesu" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7268, "domain": 1310, "URL": 8101, "FileHash-SHA1": 1615, "hostname": 2590, "FileHash-MD5": 1852, "email": 267, "SSLCertFingerprint": 3, "CIDR": 38, "CVE": 7, "IPv4": 15, "YARA": 4 }, "indicator_count": 23070, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "667af85fe8fea6365adaa65d", "name": "Norton & Norton Lifelock Products", "description": "Just taking a pak at some Norton-Related Problems\n(03.11.24): https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "modified": "2024-09-29T20:01:29.028000", "created": "2024-06-25T17:03:27.155000", "tags": [ "entity", "please", "javascript", "xwwmwh4cg2hpw" ], "references": [ "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)" ], "public": 1, "adversary": "Norton Norton Lifelock Telus", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 54, "FileHash-SHA256": 831, "URL": 1120, "domain": 181, "hostname": 261 }, "indicator_count": 2497, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "66c1d668b2adcc909d7608bf", "name": "InstallMonstr | Emotet affecting HCA | PHI | PII | Technologies", "description": "Neurosurgeon performed surgery on assault victim. Deemed potentially, intentionally failed by peers; Neuro terminated follow up care as patients health declined. Physicians & PT negligence, victim is medically blacklisted in Colorado. Fraud & dangerous practices have been nearly lethal. Records destroyed , refused diagnoses , silencing Issues began w/ SA while covered under Colorado workers compensation. Systemic abuse fraud, fear tactics against a1 targets puts many at risk. Denver a sanctuary city where Illegal immigrants & prisoners receive better healthcare with guards outside their doors. Colorado is corrupt, dirty dangerous and overpriced. Where's the ocean?", "modified": "2024-09-17T08:03:51.037000", "created": "2024-08-18T11:09:28.135000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 108, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3654, "FileHash-SHA1": 2282, "FileHash-SHA256": 4712, "CVE": 7, "URL": 886, "domain": 333, "hostname": 831 }, "indicator_count": 12705, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "621 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "66933b9c8be1a5b9e24de941", "name": "Worm:Win32/Enosch - Affecting YouTube, Google and more", "description": "", "modified": "2024-08-13T02:01:24.759000", "created": "2024-07-14T02:44:44.457000", "tags": [ "june", "october", "july", "tracking", "december", "apple ios", "relacionada", "partru", "plugx", "cryptbot", "hacktool", "lockbit", "as8075", "united", "slot1", "mascore2", "bcnt1", "nct1", "arc1", "ems1", "auth1", "localeenus", "date", "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "unknown", "asnone united", "as14061", "status", "creation date", "name servers", "cname", "next", "passive dns", "as15169 google", "gmt cache", "sameorigin", "443 ma2592000", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "as63949 linode", "html", "gmt content", "moved", "encrypt", "body", "record value", "emails", "domain name", "error", "code", "algorithm", "key usage", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "identifier", "x509v3 crl", "first", "as6185 apple", "japan", "as8068", "as714 apple", "aaaa", "as32244 liquid", "nxdomain", "as44273 host", "script urls", "meta", "as31154 toyota", "belgium unknown", "belgium", "pulse submit", "url analysis", "win32 exe", "android", "servers", "files", "name", "domain", "ashley", "sylvia", "sonja", "file type", "karin", "gina", "christine", "kathrin", "sandy" ], "references": [ "http://www.google.com/images/errors/robot.png", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "nr-data.net [Apple Private Data Collection]", "47.courier-push-apple.com.akadns.net", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 146, "FileHash-SHA1": 126, "FileHash-SHA256": 1422, "URL": 377, "domain": 889, "hostname": 418, "SSLCertFingerprint": 1, "email": 10 }, "indicator_count": 3389, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "656 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "668cebf4b3498d2f9b9e9596", "name": "Trojan:Win32/Predator - walmartmobile.cn", "description": "Monitoring, invalid URLs, malicious redirects, cams,cyber crime, red team contract. Collects targets, calls, photos, network, dns, disables proxy, movies services,, messages, shopping habits, contacts. Intrusive as always.", "modified": "2024-08-08T07:05:50.946000", "created": "2024-07-09T07:51:16.371000", "tags": [ "popularity", "ingestion time", "utc cisco", "umbrella", "utc statvoo", "record type", "server", "dnssec", "email", "dns replication", "android", "files", "china unknown", "as4837 china", "aaaa", "search", "moved", "net technology", "for privacy", "name servers", "redacted for", "encrypt", "body", "next", "passive dns", "urls", "scan endpoints", "all scoreblue", "url http", "http", "ip address", "related nids", "files location", "ipv4", "url analysis", "location china", "script script", "td tr", "please", "please enter", "za z0", "server ca", "meta", "a li", "a domains", "ul div", "443 ma2592000", "gmt content", "servers", "https", "self", "hostname", "window", "icloud_apple_id", "apple", "apple ios", "apple id", "apple message", "msie", "chrome", "title", "head body", "center hr", "united", "unknown", "as32934", "as13414 twitter", "as19679 dropbox", "as20940", "kos", "walmart", "calls", "checking", "latest version", "invoked methods", "highlighted", "shell commands", "written", "files deleted", "files copied", "file", "process", "post http", "request", "get http", "dns resolutions", "ip traffic", "process32nextw", "shellexecuteexw", "get na", "entries", "medium", "show", "china as4837", "yara detections", "regsetvalueexw", "dock", "write", "win32", "persistence", "execution", "copy", "cname", "asnone united", "registrar", "as2914 ntt", "hichina", "certificate", "showing", "as142403 yisu", "china asn", "suspicious", "open", "write c", "create c", "read c", "windows nt", "wow64", "slcc2", "media center", "default", "discovery", "xebrbxeax1ezxf0", "sxe0x0cx1cxf8", "invalid url", "status", "reflection", "telephony", "yuming", "domain", "expiration date", "div div", "a div", "span a", "script urls", "p span", "pragma", "trident", "form", "applei_imessage_ios", "as4134 chinanet", "as3356 level", "asnone china", "date", "tsara brashears", "rwi dtools", "pyinstaller", "password", "cybercrime", "valid from", "number", "thumbprint", "ipwnderv1", "hacktool", "phishing", "facebook", "all search", "otx scoreblue", "pulse submit", "injection", "mobile", "tmobile" ], "references": [ "walmartmobile.cn", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "traceability-qa.walmartmobile.cn", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "http://tshop.doido.com", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "Unique antivirus detections for files communicating with IP address", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Brazil", "Ireland", "Germany", "Chile", "China", "Switzerland" ], "malware_families": [ { "id": "RiskTool.AndroidOS.beto", "display_name": "RiskTool.AndroidOS.beto", "target": null }, { "id": "Trojan.TrojanBanker.Android", "display_name": "Trojan.TrojanBanker.Android", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1737, "hostname": 4754, "URL": 11496, "FileHash-MD5": 96, "FileHash-SHA1": 79, "FileHash-SHA256": 2457, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 20632, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "661 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "628d95bd59109416c444c985", "name": "The infectors and The infected - string.dmp", "description": "", "modified": "2022-06-24T00:01:00.706000", "created": "2022-05-25T02:34:37.956000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "references": [ "http://service.exmail.qq.com/cgi-bin/help?&&id=20022&no=1000728&subtype=1", "I\u2019d like to make an appeal. Please stop. Your original target has gone away.", "main.cf.proto", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "http://tshop.doido.com", "Matches rule ET POLICY TLS possible TOR SSL traffic", "group", "man.conf", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "main.cf.default", "com.apple.install", "cosine.schema", "com.apple.mkb", "protocols", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Sigma Matches", "notify.conf", "http://watchhers.net/index.php", "com.apple.coreduetd", "Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags", "6.0.0.0 United States AS749 DOD network information center \u2022 Historical telemetry", "master.cf.default", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "TNULL: unknown empty EMPTY FILEHASH-MD5 d41d8cd98f00b204e9800998ecf8427e", "rtadvd.conf", "misc.ldif", "cupsd.conf.O", "REFERENCE: https://twitter.com/stamparm/status/864865144748298242 RULE_AUTHOR: Florian Roth", "Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63", "com.apple.performance", "Matches rule Windows Processes Suspicious Parent Directory by vburov", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,TrojanDownloader:Win32/Eterock.A", "header_checks", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9", "Matches rule SURICATA STREAM Packet with invalid timestamp", "core.schema", "dyngroup.ldif", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "kern_loader.conf", "https://aplikacja.ceidg.gov.pl/CEIDG/GroupMenu.aspx?key=_group_search", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "rmtab", "IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32", "Amazonaws.com \u2022 Amazon.com", "Matches rule Uncommon Svchost Command Line Parameter by Liran Ravich", "Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer", "mail.rc", "IDS: Unique rule identifier: This rule belongs to a private collection", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 778", "httpd-languages.conf", "nis.schema", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "custom_header_checks", "httpd-ssl.conf", "com.apple.contacts.ContactsAutocomplete", "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/iocs", "postfix-files", "api.login.live.com", "EXE:CompanyName \u2022 TektonIT EXE:EntryPoint:0x121cf \u2022 EXE:FileDescription RMS Component", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "csh.cshrc", "Matches rule EternalRocks_svchost from ruleset crime_eternalrocks by Florian Roth (Nextron Systems)", "EternalRocks MALWARE RANSOM TROJAN EVADER", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "message.htm.com", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "krb5-kdc.schema", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "com.apple.authd", "com.apple.slapconfig.conf", "cups-files.conf", "ntp_opendirectory.conf", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "Matches rule DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt", "http://pitprojekt.pl", "com.apple.eventmonitor", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "traceability-qa.walmartmobile.cn", "Because LogMeIn is a legitimate remote management tool used by actual IT departments,", "The 2017 timeline accurately fits victim\u2019s major financial and other continuous First attacks began in 10/2013. Upgraded", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333", "Don\u2019t ask questions. Just terrorize. destroy equipment paid for by US citizens. What\u2019s yours is theirs.", "http://212.33.237.86/images/1/report.php", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "rpc", "Alerts: network_cnc_http network_http creates_exe uses_windows_utilities", "6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty", "Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left", "makedefs.out", "corba.ldif", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "remoteexecution-runner-api.services.gotoresolve.com", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "Matches rule Uncommon Schost Parent Process by Florian Roth (Nextron Systems)", "apple.schema", "nfs.conf", "Matches rule SUSP_NET_NAME_ConfuserEx from ruleset gen_github_net_redteam_tools_names by Arnim Rupp", "Names: testpaging upof6w.exe", "Matches rule SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Ransomware)", "inetorgperson.ldif", "Matches rule ET JA3 Hash - Possible Malwar RigEK/Cryptowall/Dridex", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "magic", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced IDS rules", "https://darkconsultants.com/brent-kimball", "csh.logout", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "He watched a \u2018target\u2019 while buying least expensive product available. Shirt with US Flag distraction", "Capabilities: Targeting Identify system language via API", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "cosine.ldif", "nis.ldif", "to act as their human-controlled, \"living off the land\" command station.", "ntp.conf", "Matches rule Suspicious History File Operat Mikhail Larin, oscd.community", "Change all credentials from a separate, clean network.", "47.courier-push-apple.com.akadns.net", "http://www.pitprojekt.pl", "https://hybrid-analysis.com/sample/12e727ab081000ced2629fef1d40f", "https://cdn.console.gotoresolve.com/applet", "dragonforce.io", "hosts.equiv", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "ldap.conf", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "Dynamic sandbox CZAE flags this file as: STEALER", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "com.apple.cdscheduler", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "files.conf", "httpd.conf", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "CS Sigma Rules: Python Initiated Connection by frack113", "gettytab", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "firebaseremoteconfig.googleapis.com", "profile", "httpd-info.conf", "corba.schema", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "472.dmp.strings", "snmp.conf.default", "com.apple.login.guest", "Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "required.exe \u2018 trojan.eternalrocks/shadowbrokers \u2018Crowdsourced Yara Matches", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "Matches rule INDICATOR_EXE_Packed_ConfuserEx from ruleset indicator_packed", "audit_control", "duaconf.schema", "cupsd.conf", "com.apple.networking.boringssl", "Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "microsoft.schema", "Try LogMeIn Resolve For Free \u2014 Powerful tools for device management and remote software installs from LogMeInResolve.", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Alerts: antivm_checks_available_memory queries_keyboard_layout", "Original Filename: RMS Module PrivateBuild \u2022 ProductName \u2022 RMS ProductVersion 6.0", "rc.netboot", "Non white or African American , black haired Middle Eastern 55+ male in non discreet Car", "Installed on Tsara Brashears phone in a drive up incident in October 2024", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "Tulach: 114.114.114.114", "auto_master", "apple_auxillary.schema", "com.apple.iokit.power", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Yara Detections: is__elf", "httpd-userdir.conf", "IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "relocated", "snmp.conf", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "IDS Detections: Possible ETERNALROCKS .Net Module Download TLS Handshake Failure", "Matches rule User with Privileges Logon by frack113", "newsyslog.conf", "inetorgperson.schema", "The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=35146f05-9aac-4942-a42d-f2550a19c0c4", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "hosts", "Worn as Watch \u2022 Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon", "Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4.", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Shelton, Nasreddine Bencherchali (Nextron stems", "httpd-dav.conf", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "http://connectivitycheck.gstatic.com/generate_204", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "ppolicy.ldif", "http://pornhub.com/gay/video/search", "audit_event", "autofs.conf", "core.ldif", "Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "bounce.cf.default", "netinfo.schema", "access", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "asl.conf", "LICENSE", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "java.schema", "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "Capabilities: Persistence Create shortcut via IShellLink Communication \u2022 Write and execute a file", "Yara Detections: EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "openldap.ldif", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "auto_home", "bashrc_Apple_Terminal", "mpm.conf", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159", "php7.conf", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "DESCRIPTION: Detects EternalRocks Malware - file taskhost.exe", "aliases", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "TektonIT RMS Component \u2022 6.0 Internal Name \u2022 LegalCopyright\u00a9 2014 TektonIT.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]", "Yara Detections: SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost ,", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc", "Matches rule ET JA3 Hash - [Abuse.ch] Possible Ransomware", "ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.", "IDS: PUA-OTHER RMS rmansys remote management tool cnc communication", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "openldap.schema", "collective.ldif", "manpaths", "afpovertcp.cfg", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "Matches rule MALWARE-CNC DNS Fast Flux attempt", "parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "httpd-vhosts.conf", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "Machiavellians have already built a new world with a world. Some fear the Apocalypse they created.", "canonical", "nr-data.net [Apple Private Data Collection]", "virtual", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "ftpusers", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778", "audit_class", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "com.apple.screensharing.agent.launchd", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "cupsd.conf.default", "http://appleid.icloud.com-website33.org/", "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/summary", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "audit_warn", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252", "Alerts: allocates_rwx antisandbox_foregroundwindows", "Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "Matches rule POLICY-OTHER TOR Project domain request", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad", "httpd-autoindex.conf", "TLS_LICENSE", "hannahseenan.pornsextape.com", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "Continued stalking \u2022 I am of course also being targeted w/ attempts requiring surgery.", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)", "Immediate Recommendations: Disconnect all routers and isolate the network.", "com.apple.MessageTracer", "Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****", "com.apple.slapd.conf", "httpd-multilang-errordoc.conf", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "locate.rc", "AppleOpenLDAP.plist", "README", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "proxy-html.conf", "Malware packed. Haven\u2019t sorted all.", "roblox-hack-tool-jailbreak_GM431946152.pdf", "http://www.google.com/images/errors/robot.png", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Capabilities: Anti-Analysis Self delete \u2022 Inspect load icon resource", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 815", "cups-files.conf.default", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "httpd-mpm.conf", "samba.schema", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "java.ldif", "main.cf", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "fmserver.schema", "httpd-default.conf", "Strangely NSO Group The Lazarus Group The Shadow Brokers and others attack an individual", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "pmi.ldif", "https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/EternalRocks_svchost_FR", "pmi.schema", "honey.exe", "ldap.conf.default", "master.cf.proto", "httpd-manual.conf", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Matches rule SURICATA Applayer Detect protocol only one direction", "Unique antivirus detections for files communicating with IP address", "IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply", "networks", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "master.cf", "Capabilities: Collection Get geographical location \u2022 Log keystrokes via polling", "dyngroup.schema", "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "Very dangerous. Has been going on for 12+ years affecting everyone who knew target.", "com.apple.xscertd.conf", "walmartmobile.cn", "appleremotesupport.com \u2022 remotelyanywhere.com", "NSA Exploits Used: The malware uses seven Shadow Brokers-leaked tools, including EternalBlue, EternalChampion,", "duaconf.ldif", "Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car.", "Signa: Matches rule Msiexec Quiet Installation by frack113", "com.apple.mail", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "(The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION,", "Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "by pulling its primary files over public SMB shares.", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "racoon.conf", "collective.schema", "misc.schema", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "wifi.conf", "With so many \u2018officials\u2019 involved, it\u2019s hard to believe \u2018 The Shadow Brokers\u2019 isnt a government entity.", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "generic", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "irbrc", "EternalRomance, and EternalSynergy. Stealth", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "If possible: Move to Switzerland", "Matches rule ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238", "bashrc", "csh.login", "Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "find.codes", "com.apple.mkb.internal", "mime.types", "ppolicy.schema", "Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "rc.common", "transport", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "microsoft.std.schema", "Alerts: network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_i", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Google android-cts-7.1_r6-linux_x86-arm.zip", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "https://github.com/stamparm/EternalRocks" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "State of Colorado", "Norton Norton Lifelock Telus" ], "malware_families": [ "#lowfi:hstr:monitoringtool:tektonit", "Trojandownloader:html/adodb.gen!a", "Risktool.androidos.beto", "Worm:win32/enosch!atmn", "Alf:heraklezeval:backdoorlinux/mirai", "Win.trojan.hupigon-6989556-0", "Alf:trojan:win32/cassini_6d4ebdc9!ibt", "Mirai", "Exploit:powershell/cve-2017-0143", "Cve-2017-0148", "Malaysia, truly asia", "Phishing.phishinggame", "Alf:heraklezeval:backdoor:linux/tsunami", "Pegasus - mob-s0005", "Tel:trojanspy:win32/kedirat", "Alf:heraklezeval:trojan:win32/predator!rfn", "Tofsee", "W32.sality.pe", "Trojandropper:win32", "Trojandownloader:win32/bridge", "Trojan.trojanbanker.android", "Alf:heraklezeval:backdoor:linux/mirai", "Win.malware.jaik-9968280-0", "Trojan.systembc/yxgdgz", "9002 rat", "Allowoverride", "Trojanspy:win32/nivdort.cw", "Win.trojan.remoteadmin-151", "Virtool", "Virus.win32.virut.q", "Relic", "Tulach", "Backdoor:win32/espion", "Alf:heraklezeval:pua:win32/installmonstr", "Tulach malware", "Trojan.scar.lzt", "Hacktool", "Win.trojan.gh0strat-9955419-1", "Serwer", "Doc.downloader.emotetred02220-9938909-0", "Maltiverse", "Trojan:win32/emotet!mtb", "Trojanspy", "Ransom:win32/crowti.a", "Pegasus for android - s0316", "Serwer a przed\u0142u\u017cenie sesji #{text}", "Emotet", "Directoryindex", "Trojandropper:win32/cutwail.gen!k", "Eternalrocks", "Trojanspy:ios/xcodeghost", "Ultra vnc", "Trojan.eternalrocks/shadowbrokers", "Pegasus for ios - s0289", "Virus:dos/cyberwar_5300", "Win.trojan.rfusclient", "Backdoor:win32/simda.gen!b", "Trojan.click1.19227", "Wojcieszyce", "Win.downloader.nemucod-6769668-0", "Virus:dos/psmpc_386", "Trojandownloader:js/swabfex.p", "Alf:hstr:trojanspy:msil/keylogger" ], "industries": [ "Human subjects", "Lgbtq+ activists", "Semiconductor", "Health", "Finance", "Civilians", "Media", "Healthcare", "Insurance", "Hospitality", "Ngo", "Civilian society", "Government", "Technology", "Telecommunications", "Energy" ] } } }, "false_positive": [], "validation": [], "asn": "AS3215 orange s.a.", "city_data": true, "city": "Dunkirk", "region": "HDF", "continent_code": "EU", "country_code3": "FRA", "country_code2": "FR", "subdivision": "59", "latitude": 51.0336, "postal_code": "59240", "longitude": 2.3743, "accuracy_radius": 50, "country_code": "FR", "country_name": "France", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/fr.png", "flag_title": "France", "sections": [ "general", "geo", "reputation", "url_list", "passive_dns", "malware", "nids_list", "http_scans" ] }, "geo": { "asn": "AS3215 orange s.a.", "city_data": true, "city": "Dunkirk", "region": "HDF", "continent_code": "EU", "country_code3": "FRA", "country_code2": "FR", "subdivision": "59", "latitude": 51.0336, "postal_code": "59240", "longitude": 2.3743, "accuracy_radius": 50, "country_code": "FR", "country_name": "France", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/fr.png", "flag_title": "France" }, "geo_ipapicom": { "country": "France", "country_code": "FR", "region": "\u00cele-de-France", "city": "Paris", "zip": "75000", "latitude": 48.8575, "longitude": 2.35138, "timezone": "Europe/Paris", "isp": "France Telecom Orange", "org": "", "asn": "AS3215 Orange S.A.", "asn_name": "AS3215", "is_proxy": false, "is_hosting": false, "source": "ip-api.com" }, "pulse_count": 38, "pulses": [ { "id": "6a141e8c7ad40a0af45a7a56", "name": "monitored target - credit Q Vashti (clone)", "description": "", "modified": "2026-05-31T05:22:37.048000", "created": "2026-05-25T10:03:56.699000", "tags": [ "indicator", "source", "ck id", "show technique", "mitre att", "ck matrix", "openservice", "sha384", "file", "virtualfree", "path", "getprocaddress", "pattern match", "potential ip", "open", "date", "click", "error", "null", "false", "stream", "enterprise", "body", "crypto", "compiler", "entropy", "refresh", "download", "factory", "bind", "strings", "twitter", "roboto", "contact", "window", "tools", "span", "value", "access type", "file execution", "setval", "userprofile", "debugger", "hybrid", "persistence", "general", "suspicious", "target" ], "references": [ "https://hybrid-analysis.com/sample/12e727ab081000ced2629fef1d40f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "68409862e1722725233acace", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 35, "FileHash-SHA256": 24, "SSLCertFingerprint": 3, "URL": 294, "domain": 318, "hostname": 648, "email": 3 }, "indicator_count": 1379, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6a1b57af6e1986d0628bca12", "name": "SystemBC RAT, Quant Loader, and LogMeIn.com, combined to execute a multi-stage Corporate Styled Network Intrusion", "description": "\"Living off the Land\" Takeover (LogMeIn.com)\u201c\nINCIDENT REPORT: HIGH-VALUE TARGET NETWORK INTRUSION Threat Profile: Human-operated corporate-grade attack chain targeting an isolated device.Vector: Local network exposure (compromised router/neighboring device) or physical media (USB).Attack Chain Stages:Quant Script: Obfuscated entry file bypassing network filters.SystemBC RAT: Creates a silent, persistent SOCKS5/Tor tunnel for attacker commands.LogMeIn Abuse: Attackers use legitimate remote software to control the device undetected.Crowti (CryptoWall): Final ransomware payload to encrypt high-value data.Key Observations: Because the target device lacked direct internet access, adversaries are actively abusing the local network infrastructure or physical proximity to bridge the gap. \n\nI\u2019m open to other opinions regarding this report. I have been unwell and my thinking has been unclear and even off as I focus on getting well.\nThank you.", "modified": "2026-05-30T21:33:35.237000", "created": "2026-05-30T21:33:35.237000", "tags": [ "united", "unknown aaaa", "servers", "certificate", "urls", "logmein", "ipv4", "url analysis", "files", "america flag", "level", "data upload", "extraction", "failed", "enter sc", "extri data", "include review", "stop typ", "domain don", "united states", "america asn", "net20525119201", "amazon data", "net20525119202", "address range", "cidr", "network name", "allocation type", "whois server", "entity adsn1", "handle", "sc data", "netherlands asn", "as204601 zomro", "dns resolutions", "log id", "gmtn", "timestamp", "tls web", "expiresfri", "path", "httponly", "salford", "sectigo limited", "sectigo rsa", "accept", "organization", "false", "authentication", "ocsp", "c179044d", "b89a", "d4n timestamp", "df9b", "post na", "lredmond", "stwa", "cnmicrosoft tls", "g2 rsa", "ca ocsp", "rmm domain", "search", "flashpix", "write", "unknown", "malware", "encrypt", "high", "medium", "write c", "template", "registers", "moved", "record value", "tls sni", "observed rmm", "omicrosoft", "stwashington", "server ca", "extr data", "error", "a50 data", "pattern match", "ascii text", "mitre att", "ck id", "general", "local", "click", "strings", "u extractio", "extrac data", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "signing defense", "discovery att", "code signing", "defense evasion", "t1480.002", "mrasn", "cachecontrol", "connection", "date tue", "gmt etag", "self", "etag w/\"leknjhepnj99sn\"", "name servers", "extre data", "observed dns", "query", "show", "localsm05208304", "localsm03520304", "title error", "all ipv4", "reverse dns", "as14618", "extraction data", "creato touc", "digice rsa", "sh certific", "hid iv", "trojandropper", "backdoor", "present may", "please", "x msedge", "exploit", "as8068", "av detection", "ratio", "ids detections", "content length", "content type", "x powered", "asn as16509", "x vercel", "vercel", "gmt content", "ransom", "dynamicloader", "msie", "windows nt", "wow64", "slcc2", "media center", "sysv", "buildid", "germany as8560", "yara detections", "contacted", "elf", "filehash", "av detections", "alerts", "analysis date", "file score", "low risk", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "elf info", "progbits", "offset size", "flags", "null", "hashes o", "get http", "post http", "entries", "trojan", "pegasus", "apple", "amazonaws", "smtp", "self-delete", "service-scan", "applayer", "madagascar", "qnapcrypt", "mal_elf_systembc_rat", "rat", "hacktool code", "systembc", "t1064", "create", "modify system", "process", "t1543 privile", "ta0004 cr", "t1543", "creation date", "whois show", "emails", "name logmein", "org logmein", "summer st", "date hash", "avast avg", "mtb jul", "k jun", "ai", "ai report", "appleremotesupport", "remotelyanywhere", "pegasus related" ], "references": [ "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "Amazonaws.com \u2022 Amazon.com", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "http://212.33.237.86/images/1/report.php", "http://watchhers.net/index.php", "remoteexecution-runner-api.services.gotoresolve.com", "firebaseremoteconfig.googleapis.com", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "Yara Detections: is__elf", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "Names: testpaging upof6w.exe", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "https://cdn.console.gotoresolve.com/applet", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "to act as their human-controlled, \"living off the land\" command station.", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "by pulling its primary files over public SMB shares.", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "Because LogMeIn is a legitimate remote management tool used by actual IT departments,", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "appleremotesupport.com \u2022 remotelyanywhere.com", "Immediate Recommendations: Disconnect all routers and isolate the network.", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "Change all credentials from a separate, clean network.", "If possible: Move to Switzerland" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "TrojanDownloader:JS/Swabfex.P", "display_name": "TrojanDownloader:JS/Swabfex.P", "target": "/malware/TrojanDownloader:JS/Swabfex.P" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen!K", "display_name": "TrojanDropper:Win32/Cutwail.gen!K", "target": "/malware/TrojanDropper:Win32/Cutwail.gen!K" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win.Trojan.Hupigon-6989556-0", "display_name": "Win.Trojan.Hupigon-6989556-0", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 275, "FileHash-SHA1": 243, "FileHash-SHA256": 1320, "URL": 897, "domain": 796, "email": 7, "hostname": 783, "IPv4": 446, "CIDR": 2, "SSLCertFingerprint": 33 }, "indicator_count": 4802, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "14 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda1f49694a8a727a708", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:30.475000", "created": "2026-05-13T04:27:13.098000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 72, "FileHash-SHA256": 142, "URL": 217, "domain": 283, "hostname": 468, "FileHash-SHA1": 38, "Mutex": 1, "IPv4": 310, "CVE": 8, "IPv6": 4, "email": 2 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda242b90bf795becbec", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:02.327000", "created": "2026-05-13T04:27:14.063000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA256": 125, "URL": 137, "domain": 434, "hostname": 200, "FileHash-SHA1": 23, "Mutex": 1, "IPv4": 235, "CVE": 9, "email": 4, "IPv6": 3 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a03fda0034d0da956e10d35", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-13T07:11:11.647000", "created": "2026-05-13T04:27:12.240000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA256": 7, "URL": 31, "domain": 224, "hostname": 13, "FileHash-SHA1": 7, "Mutex": 1, "IPv4": 207, "CVE": 8 }, "indicator_count": 512, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69d653b6e87c5b1f56db3158", "name": "InstallMonstr | Emotet affecting HCA | PHI | PII | Technologies [ScoreBlue]", "description": "", "modified": "2026-05-08T13:13:03.281000", "created": "2026-04-08T13:10:14.081000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66c1d668b2adcc909d7608bf", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3660, "FileHash-SHA1": 2288, "FileHash-SHA256": 4720, "CVE": 8, "URL": 896, "domain": 338, "hostname": 839 }, "indicator_count": 12749, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "69eae3465a9cbe437bca96df", "name": "[The infectors and The infected - string.dmp] credit: DorkingBeauty1 Cloned", "description": "", "modified": "2026-04-24T03:28:06.951000", "created": "2026-04-24T03:28:06.951000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "628d95bd59109416c444c985", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "2.5.4.3", "type": "IPv4" }, "abuseipdb": { "error": "AbuseIPDB daily limit reached (1,000/day).", "indicator": "2.5.4.3" }, "urlhaus": { "indicator": "2.5.4.3", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780227514.6490858 }