{ "type": "Domain", "indicator": "20.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/20.net", "alexa": "http://www.alexa.com/siteinfo/20.net", "indicator": "20.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2881696300, "indicator": "20.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 21, "pulses": [ { "id": "69e2f11d6c64ebb73108a718", "name": "Clone from 1 mo ago by me \"motherless.com\"", "description": "", "modified": "2026-04-18T04:01:08.013000", "created": "2026-04-18T02:49:01.477000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69b75475235f55af134a852e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 130, "hostname": 386, "URL": 893, "FileHash-MD5": 855, "FileHash-SHA1": 320, "FileHash-SHA256": 320, "SSLCertFingerprint": 129 }, "indicator_count": 3033, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7dfc7d3eaadbdd2718bf8", "name": "Stealth Window", "description": "Overview\nFile Score\n10\nMalicious\nYara Detections\nNone\nAlerts\nscript_created_process\nstealth_network\nantivm_generic_disk\ninfostealer_cookies\nsuspicious_command_tools\nantidebug_guardpages\ndynamic_function_loading\nreads_self\nstealth_window\ncmdline_http_link\nMore\nIP\u2019s Contacted\n\n146.59.166.237\nDomains Contacted\nmyip.ms\nRelated Pulses\nOTX User-Created Pulses (1)\nRelated Tags\nNone\nFile Type\nVBS - ASCII text\nSize\n0 KB (350 bytes)\nMD5\ncaf3c98c7fa1b31f44441a99e85ecd30\nSHA1\nc7c8bf1cba1e48b6f128a6efcda540f79b26f0fd\nSHA256\nceaae008642b0a96ed8af154a7fcada244a85b17164d6632f9a69b32b543d354\nExternal Resources\nVirusTotal\nVirusTotal", "modified": "2026-04-15T12:09:31.789000", "created": "2026-03-16T10:47:35.092000", "tags": [ "date", "file score", "malicious yara", "detections none", "contacted", "related pulses", "pulses", "tags none", "file type", "ascii text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 12, "FileHash-SHA256": 69, "domain": 12, "CIDR": 6, "URL": 72, "hostname": 49, "email": 3 }, "indicator_count": 236, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b75475235f55af134a852e", "name": "motherless.com", "description": "sicko.", "modified": "2026-04-15T01:19:40.005000", "created": "2026-03-16T00:53:09.636000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 130, "hostname": 385, "URL": 893, "FileHash-MD5": 855, "FileHash-SHA1": 320, "FileHash-SHA256": 320, "SSLCertFingerprint": 129 }, "indicator_count": 3032, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69afd95e9073ee0f67be8694", "name": "URLSpirit Spyware | Targeted Device attacks | MITM attacks | AI and Browser Attacks", "description": "", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:42:06.133000", "tags": [ "msie", "chrome", "search", "united", "unknown ns", "taiwan unknown", "requested range", "ip address", "taiwan", "title", "tlsv1", "windows nt", "wow64", "slcc2", "media center", "stcalifornia", "lmountain view", "ogoogle llc", "unknown", "encrypt", "malware", "suspicious", "learn", "informative", "ck id", "name tactics", "command", "spawns", "found", "id name", "malicious", "over", "ascii text", "pattern match", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "http", "data upload", "enter scords", "one on", "extraction", "http request", "checkin", "observed dns", "query", "dns query", "domain", "lila windows", "all se", "file version", "product vers", "failed", "included ic", "review iocs", "ic data", "status", "ch ua", "emails", "servers", "for privacy", "record value", "trojan", "pegasus", "body", "palantir", "se antivirus", "ids deted", "domains", "tachnalnav dan", "origin", "pe versio", "include review", "exclude sugges", "stop data", "q search", "product", "contact data", "contact urlspirit", "url http", "hostname", "url https", "stop show", "types", "type", "indicator", "defense evasion", "sha1", "legalcopyngn", "copyugnt zur", "fileversic data", "exclude data", "no expiration", "ipv4", "filehashsha256", "filehashsha1", "filehashmd5", "macintosh", "khtml", "type indicator", "iocs", "sc type", "hong kong", "certificate", "enterprise", "adversaries", "evasion att", "urlspirit", "targeted att", "monitored target", "browser attacks", "ai chat", "next level", "quasi", "apple", "android", "windows" ], "references": [ "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "Antivirus Detections: Win.Trojan.Agent-1190546", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "URLSpirit Spyware", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "quecompegasune.tk \u2022 hipicapegaso.com", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "Incredibly false information, white screens , pink screens and chat erasure", "Definitely requires further research", "Pegasus Indicators deleted during pulse" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia" ], "malware_families": [ { "id": "URLSpirit", "display_name": "URLSpirit", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Technology", "Government", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 406, "FileHash-SHA1": 391, "FileHash-SHA256": 5770, "URL": 7299, "domain": 1307, "email": 13, "hostname": 2162, "CVE": 3, "SSLCertFingerprint": 45 }, "indicator_count": 17396, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bd2f0f3ec7c87de65ffe6a", "name": "Habo Analysis System", "description": "https://www.virustotal.com/gui/file/518a965029e5e07f088fab3ba20947fd67bada1e7f8c1806fdc77e62816e9143/behavior\ndetect-debug-environment self-delete", "modified": "2026-03-20T11:29:24.006000", "created": "2026-03-20T11:27:10.993000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 6, "domain": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6919473b9e0624394e9b68e9", "name": "Backdoor:Linux/DemonBot Affecting Unsecured servers", "description": "A closer look at a hacker group found in Mirai Bot Network. Catgirls is still active , has running web server , is only viewable to group according to remarks regarding \u2018catgirls\u2019 domains , sub domains , hosts.\n\n Multiple hosts , name servers and links. .Backdoor:Linux/DemonBot Malicious attacks affecting unsecured servers (personal , business) networks, DDOS attacks , Mitre. Worm, Ransomware. \n\nHacker group has seemingly caused a fair ammunition of damage to small businesses and / or individuals/civil society.. Seen in attacks against handful of targets are in this Mirai Botnet. Of course we know how very large the Mirai Botnet is.", "modified": "2025-12-16T03:02:09.743000", "created": "2025-11-16T03:38:35.430000", "tags": [ "server", "algorithm", "x509v3 subject", "registrar abuse", "v3 serial", "spaceship", "community", "related pulses", "cidr", "mirai botnet", "hacker", "mirai att", "ck id", "group", "active", "generic pong", "reporting arch", "msie", "windows nt", "resolverror", "backdoor", "malware", "strings", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ipv4", "iocs", "drop", "review iocs", "found", "ascii text", "pattern match", "mitre att", "beginstring", "null", "refresh", "span", "hybrid", "click", "error", "tools", "look", "verify", "restart", "united", "moved", "passive dns", "urls", "record value", "unknown aaaa", "gmt content", "title", "cookie", "signing defense", "t1553 technique", "subvert trust", "controls learn", "disable", "modify tools", "defense evasion", "t1562 technique", "rdap", "domain database", "dap domain", "datab", "database", "array", "content", "ascii", "form", "initial access", "execution", "present aug", "present jul", "present nov", "present oct", "ip address", "command decode", "suricata ipv4", "localappdata", "windir", "openurl c", "programfiles", "edge", "cloudflare", "ssl certificate", "size", "starfield", "accept", "path", "general", "local", "hostname add", "pulse pulses", "read c", "port", "destination", "rgba", "unicode text", "medium", "unknown", "code", "write", "pecompact", "packer", "delphi", "win32", "persistence", "crash", "next", "china unknown", "chrome", "internal server", "next associated", "ipv4 add", "trojandropper", "date", "domain", "search", "domain add", "certificate", "next http", "scans show", "found title", "head body", "hostname", "files", "files ip", "address", "location united", "asn asnone", "present feb", "present jun", "unknown ns", "internet", "emails", "present sep", "show", "memcommit", "gapd5d", "key0", "packing t1045", "filehash", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "mirai", "json", "total", "delete", "win64", "url http", "http", "related nids", "files location", "flag united", "gmt cache", "pulse submit", "url analysis", "verdict", "win32dh", "reverse dns", "america flag", "worm", "warehouse mgmt", "built", "retailexperts", "read", "top source", "top destination", "aaaa", "ransom", "trojan", "entries", "singapore", "singapore asn", "as16509", "present mar", "creation date", "contacted", "hostile", "targeting", "whitelisted", "high", "systemroot", "as15169", "copy", "global", "dynamicloader", "directui", "yara rule", "element", "classinfobase", "ccbase", "hwndhost", "windows" ], "references": [ "http://catgirls.foundation/main \u2022 https://spaceship.com/", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2" ], "public": 1, "adversary": "Mirai", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "PSW.Sinowal.X", "display_name": "PSW.Sinowal.X", "target": null }, { "id": "mirai", "display_name": "mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Worm:Win32/Locksky.gen!A", "display_name": "Worm:Win32/Locksky.gen!A", "target": "/malware/Worm:Win32/Locksky.gen!A" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1991, "domain": 428, "hostname": 882, "FileHash-SHA256": 2213, "FileHash-MD5": 675, "FileHash-SHA1": 530, "email": 7, "CIDR": 1, "CVE": 1, "SSLCertFingerprint": 23 }, "indicator_count": 6751, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690a2c38de1708af54217faa", "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals", "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns", "modified": "2025-12-04T15:01:02.531000", "created": "2025-11-04T16:39:20.035000", "tags": [ "present aug", "moved", "encrypt", "present jul", "passive dns", "ipv4 add", "reverse dns", "united states", "present may", "ip address", "gmt content", "ipv4", "all ipv4", "america", "united", "present oct", "name servers", "redacted for", "emails", "for privacy", "unknown ns", "unknown aaaa", "dynamicloader", "focus region", "unicode text", "utf16", "ms windows", "bokeh onlycanon", "zeiss jena", "mcsonnar", "high", "win64", "stream", "write", "smartassembly", "trailer", "next", "search", "medium", "as15169", "write c", "reads", "team", "malware", "local", "yara detections", "delphi", "strings", "dcom", "form", "trojandropper", "mtb nov", "backdoor", "otx telemetry", "trojan", "type", "data upload", "extraction", "ol rop", "hash avast", "avg clamav", "msdefender nov", "win32upatre nov", "win32berbew nov", "dynamic", "pe section", "error", "close", "status", "urls", "expiration date", "hostname", "url analysis", "yara rule", "show", "binary file", "wine emulator", "mtb oct", "files", "denmark asn", "as32934", "candyopen", "possible", "smoke loader", "trojanspy", "filehash", "pulses otx", "related tags", "file type", "no analysis", "available", "api key", "screenshots", "present nov", "aaaa", "mtb may", "mexico", "hostname add", "registrar", "domain add", "location united", "email add", "none related", "domains", "email domain", "service", "domain", "america flag", "body", "title", "aws dns", "next associated", "risepro", "guard", "v full", "reports v", "t1059 shared", "modules", "t1129 system", "t1569", "help v", "t1179 boot", "logon autost", "encoding", "packing f0001", "hidden files", "e1203 windows", "file attributes", "registry value", "catalog tree", "analysis ob0001", "evasion b0003", "virtual machine", "ip traffic", "memory pattern", "pattern urls", "tls sni", "get https", "post https", "named pipe", "delete c", "radar", "defender", "format", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "country", "contacted hosts", "process details", "flag", "globalc", "intel", "win32", "worm", "path", "explorer", "script", "href", "external", "html content", "tulach", "hallrender", "tam legal", "brian sabey", "christopher ahmann", "apple", "msie", "chrome", "ascio", "creation date", "date", "germany unknown", "germany asn", "files ip", "address", "asn as24940", "less", "script urls", "a domains", "prox", "dennis schrder", "meta", "apache", "99u25f.exe", "entries", "as24940 hetzner", "dns resolutions", "status code", "body length", "kb body", "software/ hardware", "external-resources", "password-input", "overview", "colorado" ], "references": [ "https://shift.gearboxsoftware.com/link", "https://tulach.cc/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "https://www.turbo.net/run/videolan/vlc", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ." ], "public": 1, "adversary": "Colorado Quasi Government | Workerk Compensation", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9878032-0", "display_name": "Win.Trojan.Generic-9878032-0", "target": null }, { "id": "Win.Trojan.Starter-171", "display_name": "Win.Trojan.Starter-171", "target": null }, { "id": "GravityRAT", "display_name": "GravityRAT", "target": null }, { "id": "Backdoor:Win32/Berbew.AA!MTB", "display_name": "Backdoor:Win32/Berbew.AA!MTB", "target": "/malware/Backdoor:Win32/Berbew.AA!MTB" }, { "id": "Trojan:MSIL/AgentTesla.DW!MTB", "display_name": "Trojan:MSIL/AgentTesla.DW!MTB", "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Nemucod", "display_name": "Nemucod", "target": null }, { "id": "Berbew", "display_name": "Berbew", "target": null }, { "id": "PWS:Win32/Zbot.MS!MTB", "display_name": "PWS:Win32/Zbot.MS!MTB", "target": "/malware/PWS:Win32/Zbot.MS!MTB" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Exploit.Rozena-10038302-0", "display_name": "Win.Exploit.Rozena-10038302-0", "target": null }, { "id": "Zombie", "display_name": "Zombie", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Dorv", "display_name": "Dorv", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6051, "hostname": 2627, "FileHash-MD5": 401, "FileHash-SHA1": 257, "email": 11, "domain": 1838, "FileHash-SHA256": 1742, "CVE": 4, "SSLCertFingerprint": 3 }, "indicator_count": 12934, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bc3e255b066ad9f51d65fd", "name": "\u6f0f\u62a5\u5bb6\u65cf_\u5b57\u7b26\u4e32\u62fc\u63a5", "description": "", "modified": "2025-06-17T11:24:14.597000", "created": "2025-02-24T09:38:45.635000", "tags": [], "references": [ "https://www.virustotal.com/graph/g39dfc7371f134b7292e6af443cbfb78f47989df600c146e28ecdea053c199257" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 27, "FileHash-SHA1": 22, "FileHash-SHA256": 167, "URL": 164, "hostname": 22, "domain": 2 }, "indicator_count": 404, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 243, "modified_text": "638 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b74e347a5554e357bfe1c5", "name": "Esurance | Trojan:Win32/InstallCore | Amazonaws", "description": "High Priority | \n https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject. | Found in https://www.esurance.com\nDiscovered mid - late January 2024.", "modified": "2024-02-28T06:00:48.863000", "created": "2024-01-29T07:05:24.671000", "tags": [ "no expiration", "filehashsha256", "hostname", "filehashmd5", "expiration", "filehashsha1", "ipv4", "domain", "url https", "url http", "next", "a domains", "accept", "ad tracker", "all octoseek", "amazons3", "xcache", "analyze", "apache", "cyber threat", "defense", "cyber", "cyber defense", "crypto", "critical", "creation date", "covid19", "copy", "contacted", "collections", "code", "cloudfront", "click", "botnet", "body", "block", "best link", "beds protector", "backdoor", "back", "united", "asnone", "asn as133618", "as27647", "as24940 hetzner", "as16552 tiggee", "google", "as15169", "as133618", "apple", "apple ios", "cymulate", "date", "defacement", "default", "default page", "dock", "dock domain", "download", "domains", "emotet", "encrypt", "entries", "evader", "execution", "evader", "xamzexpires600", "write", "execution", "windows module", "module", "shared modules", "windows", "win32", "west domains", "welcome", "expiressun files files written firm collection germany unknown g", "https urls", "http url", "url", "collection", "unknown", "unique", "twitter", "tsara brashears", "trojandropper", "tracker", "metro", "tmobile", "memcommit", "meta", "title error", "threat report", "threat analyzer", "threat", "t1129", "suppobox", "stop", "steam route", "stealer", "status", "showing", "show", "set cookie", "search servers", "server", "servers", "search", "scan endpoints", "meta", "dns", "samples", "reverse", "read c", "ransom", "push", "submit", "pulse", "pulse pulses", "proxima nova", "province tx", "precreate read", "read", "post", "phishing site", "pegasus", "pe resource", "path xcache", "path", "patch", "paste", "passive dns", "open", "nymaim", "next", "name servers", "load", "module", "miss" ], "references": [ "https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.", "https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "trojan.msil/cymulate", "display_name": "trojan.msil/cymulate", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 490, "FileHash-SHA1": 351, "FileHash-SHA256": 1099, "URL": 188, "CVE": 1, "domain": 316, "email": 2, "hostname": 829 }, "indicator_count": 3276, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b807e6e5963d7f29174969", "name": "Esurance | Trojan:Win32/InstallCore | Amazonaws", "description": "", "modified": "2024-02-28T06:00:48.863000", "created": "2024-01-29T20:17:42.243000", "tags": [ "no expiration", "filehashsha256", "hostname", "filehashmd5", "expiration", "filehashsha1", "ipv4", "domain", "url https", "url http", "next", "a domains", "accept", "ad tracker", "all octoseek", "amazons3", "xcache", "analyze", "apache", "cyber threat", "defense", "cyber", "cyber defense", "crypto", "critical", "creation date", "covid19", "copy", "contacted", "collections", "code", "cloudfront", "click", "botnet", "body", "block", "best link", "beds protector", "backdoor", "back", "united", "asnone", "asn as133618", "as27647", "as24940 hetzner", "as16552 tiggee", "google", "as15169", "as133618", "apple", "apple ios", "cymulate", "date", "defacement", "default", "default page", "dock", "dock domain", "download", "domains", "emotet", "encrypt", "entries", "evader", "execution", "evader", "xamzexpires600", "write", "execution", "windows module", "module", "shared modules", "windows", "win32", "west domains", "welcome", "expiressun files files written firm collection germany unknown g", "https urls", "http url", "url", "collection", "unknown", "unique", "twitter", "tsara brashears", "trojandropper", "tracker", "metro", "tmobile", "memcommit", "meta", "title error", "threat report", "threat analyzer", "threat", "t1129", "suppobox", "stop", "steam route", "stealer", "status", "showing", "show", "set cookie", "search servers", "server", "servers", "search", "scan endpoints", "meta", "dns", "samples", "reverse", "read c", "ransom", "push", "submit", "pulse", "pulse pulses", "proxima nova", "province tx", "precreate read", "read", "post", "phishing site", "pegasus", "pe resource", "path xcache", "path", "patch", "paste", "passive dns", "open", "nymaim", "next", "name servers", "load", "module", "miss" ], "references": [ "https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.", "https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "trojan.msil/cymulate", "display_name": "trojan.msil/cymulate", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "65b74e347a5554e357bfe1c5", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 490, "FileHash-SHA1": 351, "FileHash-SHA256": 1099, "URL": 188, "CVE": 1, "domain": 316, "email": 2, "hostname": 829 }, "indicator_count": 3276, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b74dad85b8b1c8291913b6", "name": "Trojan:Win32/InstallCore | Esurance | Amazonaws", "description": "High Priority | \n https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject. | Found in https://www.esurance.com", "modified": "2024-02-28T06:00:48.863000", "created": "2024-01-29T07:03:09.687000", "tags": [ "no expiration", "filehashsha256", "hostname", "filehashmd5", "expiration", "filehashsha1", "ipv4", "domain", "url https", "url http", "next", "a domains", "accept", "ad tracker", "all octoseek", "amazons3", "xcache", "analyze", "apache", "cyber threat", "defense", "cyber", "cyber defense", "crypto", "critical", "creation date", "covid19", "copy", "contacted", "collections", "code", "cloudfront", "click", "botnet", "body", "block", "best link", "beds protector", "backdoor", "back", "united", "asnone", "asn as133618", "as27647", "as24940 hetzner", "as16552 tiggee", "google", "as15169", "as133618", "apple", "apple ios", "cymulate", "date", "defacement", "default", "default page", "dock", "dock domain", "download", "domains", "emotet", "encrypt", "entries", "evader", "execution", "evader", "xamzexpires600", "write", "execution", "windows module", "module", "shared modules", "windows", "win32", "west domains", "welcome", "expiressun files files written firm collection germany unknown g", "https urls", "http url", "url", "collection", "unknown", "unique", "twitter", "tsara brashears", "trojandropper", "tracker", "metro", "tmobile", "memcommit", "meta", "title error", "threat report", "threat analyzer", "threat", "t1129", "suppobox", "stop", "steam route", "stealer", "status", "showing", "show", "set cookie", "search servers", "server", "servers", "search", "scan endpoints", "meta", "dns", "samples", "reverse", "read c", "ransom", "push", "submit", "pulse", "pulse pulses", "proxima nova", "province tx", "precreate read", "read", "post", "phishing site", "pegasus", "pe resource", "path xcache", "path", "patch", "paste", "passive dns", "open", "nymaim", "next", "name servers", "load", "module", "miss" ], "references": [ "https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.", "https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "trojan.msil/cymulate", "display_name": "trojan.msil/cymulate", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 490, "FileHash-SHA1": 351, "FileHash-SHA256": 1099, "URL": 188, "CVE": 1, "domain": 316, "email": 2, "hostname": 829 }, "indicator_count": 3276, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b74da9d181a085eecc19b6", "name": "Trojan:Win32/InstallCore | Esurance | Amazonaws", "description": "High Priority | \n https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject. | Found in https://www.esurance.com", "modified": "2024-02-28T06:00:48.863000", "created": "2024-01-29T07:03:05.828000", "tags": [ "no expiration", "filehashsha256", "hostname", "filehashmd5", "expiration", "filehashsha1", "ipv4", "domain", "url https", "url http", "next", "a domains", "accept", "ad tracker", "all octoseek", "amazons3", "xcache", "analyze", "apache", "cyber threat", "defense", "cyber", "cyber defense", "crypto", "critical", "creation date", "covid19", "copy", "contacted", "collections", "code", "cloudfront", "click", "botnet", "body", "block", "best link", "beds protector", "backdoor", "back", "united", "asnone", "asn as133618", "as27647", "as24940 hetzner", "as16552 tiggee", "google", "as15169", "as133618", "apple", "apple ios", "cymulate", "date", "defacement", "default", "default page", "dock", "dock domain", "download", "domains", "emotet", "encrypt", "entries", "evader", "execution", "evader", "xamzexpires600", "write", "execution", "windows module", "module", "shared modules", "windows", "win32", "west domains", "welcome", "expiressun files files written firm collection germany unknown g", "https urls", "http url", "url", "collection", "unknown", "unique", "twitter", "tsara brashears", "trojandropper", "tracker", "metro", "tmobile", "memcommit", "meta", "title error", "threat report", "threat analyzer", "threat", "t1129", "suppobox", "stop", "steam route", "stealer", "status", "showing", "show", "set cookie", "search servers", "server", "servers", "search", "scan endpoints", "meta", "dns", "samples", "reverse", "read c", "ransom", "push", "submit", "pulse", "pulse pulses", "proxima nova", "province tx", "precreate read", "read", "post", "phishing site", "pegasus", "pe resource", "path xcache", "path", "patch", "paste", "passive dns", "open", "nymaim", "next", "name servers", "load", "module", "miss" ], "references": [ "https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.", "https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "trojan.msil/cymulate", "display_name": "trojan.msil/cymulate", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 490, "FileHash-SHA1": 351, "FileHash-SHA256": 1099, "URL": 188, "CVE": 1, "domain": 316, "email": 2, "hostname": 829 }, "indicator_count": 3276, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657091e3fe3ea67f512143e3", "name": "\ud83d\udea8\ud83d\udea8\ud83d\udea8 groups.google.com/d/msg/littleproxy/IdZ8R1upAHs/0ctP8JwlBaUJ'", "description": "", "modified": "2023-12-06T15:23:15.237000", "created": "2023-12-06T15:23:15.237000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 116, "hostname": 37, "domain": 77, "URL": 131, "FileHash-MD5": 49, "FileHash-SHA1": 48 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "863 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570901a7a4c52e683913431", "name": "nteresting... clone of sebs BdeUIDrv.exe", "description": "", "modified": "2023-12-06T15:15:38.727000", "created": "2023-12-06T15:15:38.727000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 245, "FileHash-MD5": 23, "FileHash-SHA1": 22, "hostname": 16, "domain": 6, "URL": 11, "CVE": 1 }, "indicator_count": 324, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570900c6069122da999a280", "name": "sebs BdeUISrv.exe file", "description": "", "modified": "2023-12-06T15:15:24.693000", "created": "2023-12-06T15:15:24.693000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 245, "FileHash-MD5": 23, "FileHash-SHA1": 22, "hostname": 16, "domain": 6, "URL": 11, "CVE": 1 }, "indicator_count": 324, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570816fa5b73f6d66bce4bb", "name": "Sandbox - Vi;https://edu-cisco.org - conti touched", "description": "", "modified": "2023-12-06T14:13:03.193000", "created": "2023-12-06T14:13:03.193000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 231, "domain": 42, "hostname": 154, "URL": 419, "FileHash-MD5": 59, "FileHash-SHA1": 46, "email": 2 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "630e9bb8c96096d82260d703", "name": "\ud83d\udea8\ud83d\udea8\ud83d\udea8 groups.google.com/d/msg/littleproxy/IdZ8R1upAHs/0ctP8JwlBaUJ'", "description": "", "modified": "2022-09-30T00:03:24.809000", "created": "2022-08-30T23:22:32.540000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "data", "decrypted ssl", "windows nt", "size", "sha256", "sha1", "pcap", "seen", "accept", "date", "format", "null", "august", "hybrid", "close", "click", "hosts", "suspicious", "local", "strings" ], "references": [ "https://hybrid-analysis.com/sample/bee5af3003505318165465985eaed9f2c8fac29262091dcb331e8bb347c6bccc/630e9042e0d17261cf7e453f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 37, "URL": 131, "FileHash-SHA256": 116, "domain": 77, "FileHash-MD5": 49, "FileHash-SHA1": 48 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c0ec533cf0d76f4e29cdf5", "name": "nteresting... clone of sebs BdeUIDrv.exe", "description": "", "modified": "2022-07-31T00:02:44.153000", "created": "2022-07-03T01:09:39.978000", "tags": [ "ssl certificate", "whois", "vt graph", "collection", "june", "new collection", "remcos", "wl1819", "emotet", "threat roundup", "ursnif", "quasar", "ransomexx", "asyncrat", "matanbuchus", "cobalt strike", "agent tesla", "chaos", "service", "trojan", "dridex", "grandoreiro", "gamaredon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "62becc204ed68a5fef31dd10", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "domain": 6, "URL": 11, "FileHash-MD5": 23, "FileHash-SHA1": 22, "FileHash-SHA256": 245, "CVE": 1 }, "indicator_count": 324, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62becc204ed68a5fef31dd10", "name": "sebs BdeUISrv.exe file", "description": "The full text of the text below, as compiled by the BBC News website, can be viewed here:-1.99.0, and here is the full list of words:..", "modified": "2022-07-31T00:02:44.153000", "created": "2022-07-01T10:27:44.539000", "tags": [ "ssl certificate", "whois", "vt graph", "collection", "june", "new collection", "remcos", "wl1819", "emotet", "threat roundup", "ursnif", "quasar", "ransomexx", "asyncrat", "matanbuchus", "cobalt strike", "agent tesla", "chaos", "service", "trojan", "dridex", "grandoreiro", "gamaredon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AIDefenseNet", "id": "102874", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "domain": 6, "URL": 11, "FileHash-MD5": 23, "FileHash-SHA1": 22, "FileHash-SHA256": 245, "CVE": 1 }, "indicator_count": 324, "is_author": false, "is_subscribing": null, "subscriber_count": 105, "modified_text": "1357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622bff66af821729750147ab", "name": "Sandbox - Vi;https://edu-cisco.org - conti touched", "description": "", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T02:03:18.697000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "date", "sha256", "pcap", "pcap processing", "windows", "path", "accept", "body", "format", "xbtl", "hybrid", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "suspicious", "conti" ], "references": [ "https://hybrid-analysis.com/sample/257842aced71d6a8197f6269f4804e36a3e7aa40755e22479bbe34531411e0c0?environmentId=100" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 231, "URL": 419, "hostname": 154, "domain": 42, "FileHash-MD5": 59, "FileHash-SHA1": 46, "email": 2 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Pegasus Indicators deleted during pulse", "https://hybrid-analysis.com/sample/257842aced71d6a8197f6269f4804e36a3e7aa40755e22479bbe34531411e0c0?environmentId=100", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Incredibly false information, white screens , pink screens and chat erasure", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CS Sigma: Matches rule Python Initiated Connection by frack113", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "Was anyone else notified? I'm not sure why I was.", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "Definitely requires further research", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "AV Detection: ELF:Mirai-GH\\ [Trj]", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.", "https://hybrid-analysis.com/sample/bee5af3003505318165465985eaed9f2c8fac29262091dcb331e8bb347c6bccc/630e9042e0d17261cf7e453f", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "quecompegasune.tk \u2022 hipicapegaso.com", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "https://www.virustotal.com/graph/g39dfc7371f134b7292e6af443cbfb78f47989df600c146e28ecdea053c199257", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://shift.gearboxsoftware.com/link", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "http://catgirls.foundation/main \u2022 https://spaceship.com/", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "URLSpirit Spyware", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "https://tulach.cc/", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "wallpapers-nature.com", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "https://www.turbo.net/run/videolan/vlc", "Antivirus Detections: Win.Trojan.Agent-1190546" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Mirai", "Colorado Quasi Government | Workerk Compensation" ], "malware_families": [ "Pws:win32/zbot.ms!mtb", "Backdoor:linux/mirai", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Worm:win32/sfone", "Alf:heraklezeval:trojan:win32/clipbanker", "Win.packer.pkr_ce1a-9980177-0", "Atros3.ldj", "Berbew", "Trojan.msil/cymulate", "Inmortal", "Nymaim", "Urlspirit", "Psw.sinowal.x", "Other malware", "Flyagent l", "Muldrop", "Backdoor:linux/demonbot.aa!mtb", "Elf:mirai-gh\\ [trj]", "W32/pidgeon-a", "Win.trojan.barys-10005825-0", "Trojanspy:win32/gucotut.a", "Emotet", "Variant.zusy.151902", "Trojan.mirai/fedr", "Ddos:linux/mirai", "Exploit:linux/cve-2017-17215", "Generic", "Zombie", "Win.dropper.autoit-6688751-0", "Nemucod", "Cve-2023-4966", "Domains", "Trojan:msil/agenttesla.dw!mtb", "Win.trojan.starter-171", "Mirai (elf)", "Win.trojan.generic-9878032-0", "Mirai", "Cve-2022-26134", "Win32:malware-gen", "A variant of win32/flystudio.packed.ad potentially unwanted", "Win.malware.trojanx-9862538-0", "Win.malware.pits-10035540-0", "Suppobox", "Trojandropper:win32/vb.il", "Win.dropper.dridex-9986041-0", "Worm:win32/mofksys.rnd!mtb", "Dorv", "Trojan.mirai/fszhh", "Worm:win32/locksky.gen!a", "Backdoor:win32/berbew.aa!mtb", "Ransom:win32/cve-2017-0147", "Unix.trojan.mirai-9441505-0", "Trojan:win32/installcore", "Win.exploit.rozena-10038302-0", "Win32:pwsx-gen\\ [trj]", "Win.malware.bbabdcdc-7358312-0", "Win32:trojan-gen", "Win.virus.polyransom-5704625-0", "Virus.ramnit/nimnul", "Upatre", "Trojanspy", "Alf:e5.spikeaex.rhh_mcv", "Worm:win32/sfone.a", "Win-trojan/malpacked5.gen", "Android/ave.mirai.fszhh", "Trojan:win32/zombie", "Win.ransomware.msilzilla-10014498-0", "Alf:heraklezeval:trojan:win32/zombie", "Win.dropper.bulz-9910065-0", "Gravityrat" ], "industries": [ "Defense", "Technology", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 21, "pulses": [ { "id": "69e2f11d6c64ebb73108a718", "name": "Clone from 1 mo ago by me \"motherless.com\"", "description": "", "modified": "2026-04-18T04:01:08.013000", "created": "2026-04-18T02:49:01.477000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69b75475235f55af134a852e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 130, "hostname": 386, "URL": 893, "FileHash-MD5": 855, "FileHash-SHA1": 320, "FileHash-SHA256": 320, "SSLCertFingerprint": 129 }, "indicator_count": 3033, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7dfc7d3eaadbdd2718bf8", "name": "Stealth Window", "description": "Overview\nFile Score\n10\nMalicious\nYara Detections\nNone\nAlerts\nscript_created_process\nstealth_network\nantivm_generic_disk\ninfostealer_cookies\nsuspicious_command_tools\nantidebug_guardpages\ndynamic_function_loading\nreads_self\nstealth_window\ncmdline_http_link\nMore\nIP\u2019s Contacted\n\n146.59.166.237\nDomains Contacted\nmyip.ms\nRelated Pulses\nOTX User-Created Pulses (1)\nRelated Tags\nNone\nFile Type\nVBS - ASCII text\nSize\n0 KB (350 bytes)\nMD5\ncaf3c98c7fa1b31f44441a99e85ecd30\nSHA1\nc7c8bf1cba1e48b6f128a6efcda540f79b26f0fd\nSHA256\nceaae008642b0a96ed8af154a7fcada244a85b17164d6632f9a69b32b543d354\nExternal Resources\nVirusTotal\nVirusTotal", "modified": "2026-04-15T12:09:31.789000", "created": "2026-03-16T10:47:35.092000", "tags": [ "date", "file score", "malicious yara", "detections none", "contacted", "related pulses", "pulses", "tags none", "file type", "ascii text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 12, "FileHash-SHA256": 69, "domain": 12, "CIDR": 6, "URL": 72, "hostname": 49, "email": 3 }, "indicator_count": 236, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b75475235f55af134a852e", "name": "motherless.com", "description": "sicko.", "modified": "2026-04-15T01:19:40.005000", "created": "2026-03-16T00:53:09.636000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 130, "hostname": 385, "URL": 893, "FileHash-MD5": 855, "FileHash-SHA1": 320, "FileHash-SHA256": 320, "SSLCertFingerprint": 129 }, "indicator_count": 3032, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69afd95e9073ee0f67be8694", "name": "URLSpirit Spyware | Targeted Device attacks | MITM attacks | AI and Browser Attacks", "description": "", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:42:06.133000", "tags": [ "msie", "chrome", "search", "united", "unknown ns", "taiwan unknown", "requested range", "ip address", "taiwan", "title", "tlsv1", "windows nt", "wow64", "slcc2", "media center", "stcalifornia", "lmountain view", "ogoogle llc", "unknown", "encrypt", "malware", "suspicious", "learn", "informative", "ck id", "name tactics", "command", "spawns", "found", "id name", "malicious", "over", "ascii text", "pattern match", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "http", "data upload", "enter scords", "one on", "extraction", "http request", "checkin", "observed dns", "query", "dns query", "domain", "lila windows", "all se", "file version", "product vers", "failed", "included ic", "review iocs", "ic data", "status", "ch ua", "emails", "servers", "for privacy", "record value", "trojan", "pegasus", "body", "palantir", "se antivirus", "ids deted", "domains", "tachnalnav dan", "origin", "pe versio", "include review", "exclude sugges", "stop data", "q search", "product", "contact data", "contact urlspirit", "url http", "hostname", "url https", "stop show", "types", "type", "indicator", "defense evasion", "sha1", "legalcopyngn", "copyugnt zur", "fileversic data", "exclude data", "no expiration", "ipv4", "filehashsha256", "filehashsha1", "filehashmd5", "macintosh", "khtml", "type indicator", "iocs", "sc type", "hong kong", "certificate", "enterprise", "adversaries", "evasion att", "urlspirit", "targeted att", "monitored target", "browser attacks", "ai chat", "next level", "quasi", "apple", "android", "windows" ], "references": [ "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "Antivirus Detections: Win.Trojan.Agent-1190546", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "URLSpirit Spyware", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "quecompegasune.tk \u2022 hipicapegaso.com", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "Incredibly false information, white screens , pink screens and chat erasure", "Definitely requires further research", "Pegasus Indicators deleted during pulse" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia" ], "malware_families": [ { "id": "URLSpirit", "display_name": "URLSpirit", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Technology", "Government", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 406, "FileHash-SHA1": 391, "FileHash-SHA256": 5770, "URL": 7299, "domain": 1307, "email": 13, "hostname": 2162, "CVE": 3, "SSLCertFingerprint": 45 }, "indicator_count": 17396, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bd2f0f3ec7c87de65ffe6a", "name": "Habo Analysis System", "description": "https://www.virustotal.com/gui/file/518a965029e5e07f088fab3ba20947fd67bada1e7f8c1806fdc77e62816e9143/behavior\ndetect-debug-environment self-delete", "modified": "2026-03-20T11:29:24.006000", "created": "2026-03-20T11:27:10.993000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 6, "domain": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6919473b9e0624394e9b68e9", "name": "Backdoor:Linux/DemonBot Affecting Unsecured servers", "description": "A closer look at a hacker group found in Mirai Bot Network. Catgirls is still active , has running web server , is only viewable to group according to remarks regarding \u2018catgirls\u2019 domains , sub domains , hosts.\n\n Multiple hosts , name servers and links. .Backdoor:Linux/DemonBot Malicious attacks affecting unsecured servers (personal , business) networks, DDOS attacks , Mitre. Worm, Ransomware. \n\nHacker group has seemingly caused a fair ammunition of damage to small businesses and / or individuals/civil society.. Seen in attacks against handful of targets are in this Mirai Botnet. Of course we know how very large the Mirai Botnet is.", "modified": "2025-12-16T03:02:09.743000", "created": "2025-11-16T03:38:35.430000", "tags": [ "server", "algorithm", "x509v3 subject", "registrar abuse", "v3 serial", "spaceship", "community", "related pulses", "cidr", "mirai botnet", "hacker", "mirai att", "ck id", "group", "active", "generic pong", "reporting arch", "msie", "windows nt", "resolverror", "backdoor", "malware", "strings", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ipv4", "iocs", "drop", "review iocs", "found", "ascii text", "pattern match", "mitre att", "beginstring", "null", "refresh", "span", "hybrid", "click", "error", "tools", "look", "verify", "restart", "united", "moved", "passive dns", "urls", "record value", "unknown aaaa", "gmt content", "title", "cookie", "signing defense", "t1553 technique", "subvert trust", "controls learn", "disable", "modify tools", "defense evasion", "t1562 technique", "rdap", "domain database", "dap domain", "datab", "database", "array", "content", "ascii", "form", "initial access", "execution", "present aug", "present jul", "present nov", "present oct", "ip address", "command decode", "suricata ipv4", "localappdata", "windir", "openurl c", "programfiles", "edge", "cloudflare", "ssl certificate", "size", "starfield", "accept", "path", "general", "local", "hostname add", "pulse pulses", "read c", "port", "destination", "rgba", "unicode text", "medium", "unknown", "code", "write", "pecompact", "packer", "delphi", "win32", "persistence", "crash", "next", "china unknown", "chrome", "internal server", "next associated", "ipv4 add", "trojandropper", "date", "domain", "search", "domain add", "certificate", "next http", "scans show", "found title", "head body", "hostname", "files", "files ip", "address", "location united", "asn asnone", "present feb", "present jun", "unknown ns", "internet", "emails", "present sep", "show", "memcommit", "gapd5d", "key0", "packing t1045", "filehash", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "mirai", "json", "total", "delete", "win64", "url http", "http", "related nids", "files location", "flag united", "gmt cache", "pulse submit", "url analysis", "verdict", "win32dh", "reverse dns", "america flag", "worm", "warehouse mgmt", "built", "retailexperts", "read", "top source", "top destination", "aaaa", "ransom", "trojan", "entries", "singapore", "singapore asn", "as16509", "present mar", "creation date", "contacted", "hostile", "targeting", "whitelisted", "high", "systemroot", "as15169", "copy", "global", "dynamicloader", "directui", "yara rule", "element", "classinfobase", "ccbase", "hwndhost", "windows" ], "references": [ "http://catgirls.foundation/main \u2022 https://spaceship.com/", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2" ], "public": 1, "adversary": "Mirai", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "PSW.Sinowal.X", "display_name": "PSW.Sinowal.X", "target": null }, { "id": "mirai", "display_name": "mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Worm:Win32/Locksky.gen!A", "display_name": "Worm:Win32/Locksky.gen!A", "target": "/malware/Worm:Win32/Locksky.gen!A" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1991, "domain": 428, "hostname": 882, "FileHash-SHA256": 2213, "FileHash-MD5": 675, "FileHash-SHA1": 530, "email": 7, "CIDR": 1, "CVE": 1, "SSLCertFingerprint": 23 }, "indicator_count": 6751, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690a2c38de1708af54217faa", "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals", "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns", "modified": "2025-12-04T15:01:02.531000", "created": "2025-11-04T16:39:20.035000", "tags": [ "present aug", "moved", "encrypt", "present jul", "passive dns", "ipv4 add", "reverse dns", "united states", "present may", "ip address", "gmt content", "ipv4", "all ipv4", "america", "united", "present oct", "name servers", "redacted for", "emails", "for privacy", "unknown ns", "unknown aaaa", "dynamicloader", "focus region", "unicode text", "utf16", "ms windows", "bokeh onlycanon", "zeiss jena", "mcsonnar", "high", "win64", "stream", "write", "smartassembly", "trailer", "next", "search", "medium", "as15169", "write c", "reads", "team", "malware", "local", "yara detections", "delphi", "strings", "dcom", "form", "trojandropper", "mtb nov", "backdoor", "otx telemetry", "trojan", "type", "data upload", "extraction", "ol rop", "hash avast", "avg clamav", "msdefender nov", "win32upatre nov", "win32berbew nov", "dynamic", "pe section", "error", "close", "status", "urls", "expiration date", "hostname", "url analysis", "yara rule", "show", "binary file", "wine emulator", "mtb oct", "files", "denmark asn", "as32934", "candyopen", "possible", "smoke loader", "trojanspy", "filehash", "pulses otx", "related tags", "file type", "no analysis", "available", "api key", "screenshots", "present nov", "aaaa", "mtb may", "mexico", "hostname add", "registrar", "domain add", "location united", "email add", "none related", "domains", "email domain", "service", "domain", "america flag", "body", "title", "aws dns", "next associated", "risepro", "guard", "v full", "reports v", "t1059 shared", "modules", "t1129 system", "t1569", "help v", "t1179 boot", "logon autost", "encoding", "packing f0001", "hidden files", "e1203 windows", "file attributes", "registry value", "catalog tree", "analysis ob0001", "evasion b0003", "virtual machine", "ip traffic", "memory pattern", "pattern urls", "tls sni", "get https", "post https", "named pipe", "delete c", "radar", "defender", "format", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "country", "contacted hosts", "process details", "flag", "globalc", "intel", "win32", "worm", "path", "explorer", "script", "href", "external", "html content", "tulach", "hallrender", "tam legal", "brian sabey", "christopher ahmann", "apple", "msie", "chrome", "ascio", "creation date", "date", "germany unknown", "germany asn", "files ip", "address", "asn as24940", "less", "script urls", "a domains", "prox", "dennis schrder", "meta", "apache", "99u25f.exe", "entries", "as24940 hetzner", "dns resolutions", "status code", "body length", "kb body", "software/ hardware", "external-resources", "password-input", "overview", "colorado" ], "references": [ "https://shift.gearboxsoftware.com/link", "https://tulach.cc/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "https://www.turbo.net/run/videolan/vlc", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ." ], "public": 1, "adversary": "Colorado Quasi Government | Workerk Compensation", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9878032-0", "display_name": "Win.Trojan.Generic-9878032-0", "target": null }, { "id": "Win.Trojan.Starter-171", "display_name": "Win.Trojan.Starter-171", "target": null }, { "id": "GravityRAT", "display_name": "GravityRAT", "target": null }, { "id": "Backdoor:Win32/Berbew.AA!MTB", "display_name": "Backdoor:Win32/Berbew.AA!MTB", "target": "/malware/Backdoor:Win32/Berbew.AA!MTB" }, { "id": "Trojan:MSIL/AgentTesla.DW!MTB", "display_name": "Trojan:MSIL/AgentTesla.DW!MTB", "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Nemucod", "display_name": "Nemucod", "target": null }, { "id": "Berbew", "display_name": "Berbew", "target": null }, { "id": "PWS:Win32/Zbot.MS!MTB", "display_name": "PWS:Win32/Zbot.MS!MTB", "target": "/malware/PWS:Win32/Zbot.MS!MTB" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Exploit.Rozena-10038302-0", "display_name": "Win.Exploit.Rozena-10038302-0", "target": null }, { "id": "Zombie", "display_name": "Zombie", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Dorv", "display_name": "Dorv", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6051, "hostname": 2627, "FileHash-MD5": 401, "FileHash-SHA1": 257, "email": 11, "domain": 1838, "FileHash-SHA256": 1742, "CVE": 4, "SSLCertFingerprint": 3 }, "indicator_count": 12934, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bc3e255b066ad9f51d65fd", "name": "\u6f0f\u62a5\u5bb6\u65cf_\u5b57\u7b26\u4e32\u62fc\u63a5", "description": "", "modified": "2025-06-17T11:24:14.597000", "created": "2025-02-24T09:38:45.635000", "tags": [], "references": [ "https://www.virustotal.com/graph/g39dfc7371f134b7292e6af443cbfb78f47989df600c146e28ecdea053c199257" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 27, "FileHash-SHA1": 22, "FileHash-SHA256": 167, "URL": 164, "hostname": 22, "domain": 2 }, "indicator_count": 404, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 243, "modified_text": "638 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b74e347a5554e357bfe1c5", "name": "Esurance | Trojan:Win32/InstallCore | Amazonaws", "description": "High Priority | \n https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject. | Found in https://www.esurance.com\nDiscovered mid - late January 2024.", "modified": "2024-02-28T06:00:48.863000", "created": "2024-01-29T07:05:24.671000", "tags": [ "no expiration", "filehashsha256", "hostname", "filehashmd5", "expiration", "filehashsha1", "ipv4", "domain", "url https", "url http", "next", "a domains", "accept", "ad tracker", "all octoseek", "amazons3", "xcache", "analyze", "apache", "cyber threat", "defense", "cyber", "cyber defense", "crypto", "critical", "creation date", "covid19", "copy", "contacted", "collections", "code", "cloudfront", "click", "botnet", "body", "block", "best link", "beds protector", "backdoor", "back", "united", "asnone", "asn as133618", "as27647", "as24940 hetzner", "as16552 tiggee", "google", "as15169", "as133618", "apple", "apple ios", "cymulate", "date", "defacement", "default", "default page", "dock", "dock domain", "download", "domains", "emotet", "encrypt", "entries", "evader", "execution", "evader", "xamzexpires600", "write", "execution", "windows module", "module", "shared modules", "windows", "win32", "west domains", "welcome", "expiressun files files written firm collection germany unknown g", "https urls", "http url", "url", "collection", "unknown", "unique", "twitter", "tsara brashears", "trojandropper", "tracker", "metro", "tmobile", "memcommit", "meta", "title error", "threat report", "threat analyzer", "threat", "t1129", "suppobox", "stop", "steam route", "stealer", "status", "showing", "show", "set cookie", "search servers", "server", "servers", "search", "scan endpoints", "meta", "dns", "samples", "reverse", "read c", "ransom", "push", "submit", "pulse", "pulse pulses", "proxima nova", "province tx", "precreate read", "read", "post", "phishing site", "pegasus", "pe resource", "path xcache", "path", "patch", "paste", "passive dns", "open", "nymaim", "next", "name servers", "load", "module", "miss" ], "references": [ "https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.", "https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "trojan.msil/cymulate", "display_name": "trojan.msil/cymulate", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" } ], "attack_ids": [ { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 490, "FileHash-SHA1": 351, "FileHash-SHA256": 1099, "URL": 188, "CVE": 1, "domain": 316, "email": 2, "hostname": 829 }, "indicator_count": 3276, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "20.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "20.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776525585.3739312 }