{
"type": "Domain",
"indicator": "20python.org",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/20python.org",
"alexa": "http://www.alexa.com/siteinfo/20python.org",
"indicator": "20python.org",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3737280302,
"indicator": "20python.org",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69b2bb3f596b9a99d6eb97c3",
"name": "unnamed group SOCradar clone by fraevolquez",
"description": "",
"modified": "2026-04-12T00:05:39.579000",
"created": "2026-03-12T13:10:23.942000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": "67733381a0cdad5d55f5166f",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "7 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2730aa46a25d7949daa8d",
"name": "apple retail dnspionage clone octoseek",
"description": "",
"modified": "2026-04-11T00:03:57.096000",
"created": "2026-03-12T08:02:18.609000",
"tags": [
"Ghost RAT",
"WebToolbar",
"Nanocore RAT",
"GameHack",
"Cobalt Strike",
"RedlineStealer",
"HallGrand",
"InstallCore",
"InstallBrain",
"Emotet",
"Tofsee",
"InMortal",
"Bradesco",
"Agent Tesla",
"Mitre",
"Pyscpa",
"TrojanSpy",
"SuppoBox",
"Occamy",
"DNSPIONAGE",
"Stealer",
"Password",
"Apple",
"Retail",
"Cherry Creek Colorado",
"Bot Networks",
"Ghost RAT",
"Networm"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "658a2b6cfdcfeec5db5f31a1",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7996,
"FileHash-SHA1": 3921,
"FileHash-SHA256": 5341,
"hostname": 2108,
"domain": 1005,
"URL": 5635,
"CIDR": 2,
"CVE": 21,
"email": 28
},
"indicator_count": 26057,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a5c36b78ed73550bb0bf22",
"name": "by Disable_Duck",
"description": "",
"modified": "2026-03-04T23:37:24.208000",
"created": "2026-03-02T17:05:47.288000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB",
"TLS/SSL Crawler",
"CVE-2026-24061 Attempt",
"Generic IoT Default Password Attempt",
"Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
"Dahua Backdoor Attempt",
"ENV Crawler",
"DCERPC Protocol",
"Carries HTTP Referer",
"GNU Inetutils Telnetd Auth Bypass",
"ICMPv4 Protocol"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)",
"Argentina",
"Switzerland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6901363c4ce422f5caf0f72c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 996,
"domain": 987,
"hostname": 3306,
"email": 4,
"CVE": 1
},
"indicator_count": 27048,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "45 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6980689d04c3d0afa554c247",
"name": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26",
"description": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26",
"modified": "2026-03-04T08:01:36.153000",
"created": "2026-02-02T09:04:29.535000",
"tags": [
"entity",
"skreutzb",
"kgs0",
"kls0",
"please",
"javascript",
"Proton",
"Drive",
"Mail",
"Calendar",
"VPN",
"Ubiquiti",
"Unifi",
"Malcerts",
"Certificates",
"Apple",
"Github",
"Cocoapods"
],
"references": [
"https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark",
"https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027",
"https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 24,
"FileHash-SHA1": 20,
"FileHash-SHA256": 146,
"hostname": 143,
"URL": 218,
"domain": 35
},
"indicator_count": 586,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "46 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6901363c4ce422f5caf0f72c",
"name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
"description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
"modified": "2026-02-18T05:00:41.494000",
"created": "2025-10-28T21:31:40.008000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 995,
"domain": 984,
"hostname": 3305,
"email": 4
},
"indicator_count": 27042,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "60 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68cda7d2fa81b016a486aad8",
"name": "logo Virustotal/Virustotal.com( usuni\u0119te pliki Virustotal i ich wsp\u00f3lne cechy)",
"description": "",
"modified": "2025-10-19T18:02:53.885000",
"created": "2025-09-19T18:58:26.750000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 213,
"FileHash-MD5": 100,
"FileHash-SHA1": 100,
"FileHash-SHA256": 150,
"domain": 11,
"hostname": 5
},
"indicator_count": 579,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "182 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68adee67c08cd025b05c2ab0",
"name": "Collection of Collections - Updated - Malicious Certificates & University of Alberta DataBreach - 09.15.25.25",
"description": "This Pulse is an attempt to aggregate all known certificates from all sources.\n\nEncrypted Communication: The malware uses Bitcoin and Ethereum addresses for communication, allowing it to receive commands and exfiltrate data securely.\nEvasion Techniques: The malware generates long and unusual domain parts using Domain Generation Algorithms to evade detection and establish communication with its C2 server.\nData Exfiltration: The malware can exfiltrate data to cloud storage services, enabling the threat actor to steal sensitive information from the compromised system.\nRemote Access: The malware leverages bidirectional communication and system binary proxy execution techniques to enable remote access and control over the infected system.\nIngress Tool Transfer: The malware downloads executable files from URLs, indicating its ability to download additional malicious payloads or updates to enhance its capabilities.",
"modified": "2025-10-16T05:02:02.452000",
"created": "2025-08-26T17:27:01.650000",
"tags": [
"http",
"https",
"kgs0",
"kls0",
"Malcerts",
"Certificates",
"Alberta",
"GovAB",
"UAlberta",
"Speader"
],
"references": [
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"Added some URLs from FSio Report to URLScan"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Aruba",
"Panama",
"Poland",
"Ukraine",
"United Kingdom of Great Britain and Northern Ireland",
"Anguilla",
"United Arab Emirates",
"Ireland",
"Tanzania, United Republic of",
"Philippines",
"Japan",
"Guatemala",
"Mexico",
"Bahamas",
"Barbados",
"Georgia",
"Slovakia",
"Sint Maarten (Dutch part)",
"Kenya"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Technology",
"Telecommunications",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1639,
"FileHash-MD5": 1481,
"FileHash-SHA1": 1421,
"FileHash-SHA256": 5969,
"domain": 707,
"hostname": 2311,
"email": 5,
"CIDR": 13
},
"indicator_count": 13546,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "185 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68b78d521f024d3a98fc79c8",
"name": "VT Graph miniuser - Databreach IOCs & Links",
"description": "Related to Pulse: Food for Thought (Updated 09.02.25)\n\n*Note most links are malicious",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-03T00:35:30.936000",
"tags": [
"kgs0",
"kls0",
"entity",
"UAlberta",
"University of Alberta",
"Hacked",
"DataBreach"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 132,
"FileHash-SHA1": 121,
"FileHash-SHA256": 711,
"URL": 83,
"domain": 50,
"hostname": 125
},
"indicator_count": 1222,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "198 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "686d28ec9208b0424e0ccad2",
"name": "Remote Keylogger | Foundry",
"description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.",
"modified": "2025-09-19T03:02:22.742000",
"created": "2025-07-08T14:19:24.211000",
"tags": [
"delete",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"delete c",
"intel",
"write",
"malware",
"dynamicloader",
"yara rule",
"high",
"vmware",
"phishing",
"remote",
"keylogger",
"remote keylogger",
"type indicator",
"related pulses",
"no expiration",
"url https",
"showing",
"reputation",
"foundry",
"apple",
"downloader",
"trojan"
],
"references": [
"http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||",
"\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net",
"\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects",
"\u2022 199.59.243.226",
"\u2022 ww25.vpn.steamcommunity-site.info",
"\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/",
"\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/",
"\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us",
"\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com",
"\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Reputation.1",
"display_name": "Reputation.1",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [
"Telecommunications",
"Technology",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 260,
"FileHash-SHA1": 244,
"FileHash-SHA256": 4406,
"URL": 9684,
"domain": 3164,
"hostname": 3370,
"CVE": 1
},
"indicator_count": 21129,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "212 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "687605f986433ebf2673f0b8",
"name": "Win.Malware.Downloadguide-6803841-0 | Patient Monitoring",
"description": "Part of an elaborate, unrelenting espionage campaign , multiple compromises, targeting.\n> alf:PUA:Win32/DownloadGuide \nLink below found in previous Pulse -[http://s0.patient.media/res/f91b97f6b547405cb4370cbb003dfea2-jquery-1.11.1.min.js.gzip]\n\u2022 Win.Malware.Downloadguide-6803841-0\nYara:\nresearch_pe_signed_outside_timestamp\n\u2022\nkernel32_dll_xor_exe_key_51_key_byte_encoded \u2022\nxor_0x33_kernel32_dll \u2022 \nConcerning: {Domain\tAddress\tRegistrar\tCountry\ns0.patient.media\n-\tGoDaddy.com, LLC\nOrganization: Egton Medical Information Systems Limited\nName Server: ns34.domaincontrol.com\nCreation Date: 2015-01-12T16:20:56}\n\n{https://www.anyxxxtube.net/search-porn/tsara-brashears/}\n{https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net}\n{wallpapers-nature.com}\n{https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian}",
"modified": "2025-08-14T07:05:00.239000",
"created": "2025-07-15T07:40:41.180000",
"tags": [
"url http",
"url https",
"indicator role",
"title added",
"active related",
"pulses hostname",
"entries",
"gmt etag",
"server",
"ecacc",
"serving ip",
"address",
"dom dom",
"data upload",
"extraction",
"pdf report",
"enter",
"failed",
"extraction data",
"enter sc",
"type",
"extra data",
"extri please",
"review data",
"excluded tous",
"tui sugges",
"find",
"show",
"at filer",
"iocs",
"levelbluelabs",
"please",
"included iocs",
"excluded io",
"find suggested",
"types",
"domain data",
"search",
"o please",
"manually add",
"c data",
"o suggesteo",
"include data",
"review uus",
"u exclude",
"find s",
"indicaok data",
"dom doman",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"copy",
"push",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"ascii text",
"size",
"mitre att",
"utf8",
"null",
"refresh",
"body",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"discovery att"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3597,
"FileHash-MD5": 343,
"domain": 547,
"hostname": 1222,
"FileHash-SHA1": 343,
"FileHash-SHA256": 4464,
"CVE": 1,
"email": 1
},
"indicator_count": 10518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "248 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "686ab98ff0cb9baa4e2b2000",
"name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?",
"description": "",
"modified": "2025-08-05T21:02:46.419000",
"created": "2025-07-06T17:59:43.440000",
"tags": [
"runtime process",
"localappdata",
"size",
"sha256",
"sha1",
"temp",
"prefetch8",
"prefetch1",
"unicode text",
"type data",
"hybrid",
"general",
"click",
"strings",
"contact",
"mitre",
"writes a pe file header to disc",
"show process",
"date",
"document file",
"v2 document",
"ascii text",
"malicious",
"local",
"path",
"found",
"ssl certificate",
"whois record",
"threat roundup",
"contacted",
"october",
"resolutions",
"apple ios",
"referrer",
"communicating",
"execution",
"june",
"august",
"emotet",
"qakbot",
"agent tesla",
"azorult",
"core",
"maze",
"metro",
"dark",
"team",
"critical",
"copy",
"awful",
"ursnif",
"hacktool",
"info",
"qbot",
"april",
"njrat",
"nokoyawa",
"djvu",
"flubot",
"ransomware",
"bandit stealer",
"hallrender",
"spyware",
"safebae",
"tsara brashears",
"westlaw",
"river.rocks",
"brian sabey",
"targeting",
"dnspionage",
"united",
"unknown",
"search",
"aaaa",
"showing",
"domain",
"creation date",
"record value",
"dnssec",
"body",
"passive dns",
"encrypt",
"as14061",
"germany unknown",
"as397240",
"gmt server",
"443 ma2592000",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"main",
"installing",
"as16276",
"france unknown",
"name servers",
"as8075",
"servers",
"next",
"as63949 linode",
"as206834 team",
"canada unknown",
"status",
"as61969 team",
"msie",
"chrome",
"ransom",
"gone",
"title",
"head body",
"malware"
],
"references": [
"\u2193\u2192Found in: https://house.mo.gov/\u2193",
"dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/",
"demo.auth.civicalg.com.sni.cloudflaressl.com",
"happyrabbit.kr [Apple iOS threat]",
"https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz",
"https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022",
"https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639",
"https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join",
"http://nudeteenporn.site"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Nokoyawa Ransomware",
"display_name": "Nokoyawa Ransomware",
"target": null
},
{
"id": "Bandit Stealer",
"display_name": "Bandit Stealer",
"target": null
},
{
"id": "FluBot",
"display_name": "FluBot",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Djvu",
"display_name": "Djvu",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Maze",
"display_name": "Maze",
"target": null
},
{
"id": "Dark",
"display_name": "Dark",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1065",
"name": "Uncommonly Used Port",
"display_name": "T1065 - Uncommonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65c96df8fe0657d56a206a49",
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 251,
"FileHash-SHA1": 211,
"FileHash-SHA256": 3226,
"domain": 1867,
"URL": 10030,
"hostname": 2919,
"CVE": 7,
"email": 6
},
"indicator_count": 18517,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "257 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6888820cbdf42f46edc8e5ed",
"name": "NORAD TRACKING ",
"description": "",
"modified": "2025-07-29T08:10:52.558000",
"created": "2025-07-29T08:10:52.558000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6512660b83a8b8fedc8d0d7b",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 240,
"FileHash-SHA1": 211,
"FileHash-SHA256": 984,
"URL": 513,
"domain": 443,
"hostname": 382
},
"indicator_count": 2773,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "264 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6512660b83a8b8fedc8d0d7b",
"name": "NORAD TRACKING (by scamcheck) 2023-06-14",
"description": "https://www.virustotal.com/gui/collection/a8b8fd7a4dc70c3d6dedfa9f183ad49f89229a74b674da48c9e7a08af6f84fa4",
"modified": "2025-07-29T02:53:38.769000",
"created": "2023-09-26T05:03:07.873000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 240,
"FileHash-SHA1": 211,
"FileHash-SHA256": 984,
"URL": 513,
"domain": 443,
"hostname": 382
},
"indicator_count": 2773,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 178,
"modified_text": "264 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67b109cbfbcc6f92c399b327",
"name": "UAlberta Breach Data - Food for thought - thoughts & input on how to 'bring some attention to this' (not enriched)",
"description": "Just thought I'd throw thisntogether and 'see what ya'll make of it' (documents a VT graph produced and slightly modified) that pulls a lot of things together. Highlights both 'some problems' - U of A / Gov. of AB (who are also some 'solutions'). \nIdeas on how to grab their attention and maybe bring some 'urgency' to this issue? I have a few solutions and ideas for everyone - problem: I require some folks to 'do their jobs' (there is not 10 of me). Thoughts on how to encourage them to act on these problems. Present status: Connected directly to them on other devices. Within literal 5 min walking range.",
"modified": "2025-05-27T07:01:17.646000",
"created": "2025-02-15T21:40:27.895000",
"tags": [
"kgs0",
"kls0"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 215,
"FileHash-SHA1": 193,
"FileHash-SHA256": 1302,
"URL": 166,
"domain": 100,
"hostname": 234
},
"indicator_count": 2210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "327 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67aac6e4b628acffaed3f068",
"name": "New Batch - Malcerts - 02.10.25 - unenriched",
"description": "Here is the full text of the text that was found on the website of Mozilla, following an investigation by the security firm Virustotal and the UK's Office of National Statistics (ONS).. [autofilled].\n\nMore Malcerts from Sample Device deployed at several sites in YEG - Canada. Related to pulse - Thor Scan Lite Linux\nNot enriched on import, but did include links to VT entries as IOCs (those will be false positives - but easy access). \nFolder name: Mozilla Located @ /usr/share/ca-certificates",
"modified": "2025-03-16T17:01:06.968000",
"created": "2025-02-11T03:41:24.585000",
"tags": [
"UAlberta",
"Malcerts",
"Certificates",
"Eduroam",
"Alberta"
],
"references": [
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
"https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
"https://tria.ge/250210-3c3c3askfz",
"https://tria.ge/250210-3nh4kasmes",
"https://tria.ge/250210-3y8f7sspdy",
"https://tria.ge/250211-dhpxgswlax",
"https://tria.ge/250211-dt1hcswme1",
"https://tria.ge/250211-dx9v7swnbw",
"Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
"https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications",
"Finance",
"Agriculture",
"Hospitality",
"Media",
"Retail"
],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 831,
"FileHash-SHA1": 801,
"FileHash-SHA256": 3227,
"URL": 395,
"domain": 189,
"hostname": 798
},
"indicator_count": 6241,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "399 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67733b72d522398f5ea0a12d",
"name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar",
"description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024",
"modified": "2025-01-30T00:00:18.927000",
"created": "2024-12-31T00:31:46.858000",
"tags": [
"cve201711882",
"cve20201472"
],
"references": [],
"public": 1,
"adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fraevolquez",
"id": "91700",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2631,
"FileHash-SHA1": 2168,
"FileHash-SHA256": 3401,
"CVE": 25,
"domain": 977,
"hostname": 1226
},
"indicator_count": 10428,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "444 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67733381a0cdad5d55f5166f",
"name": "Unnamed group Socradar december 2024 Dominican Republic",
"description": "Unnamed group Socradar december 2024 Dominican Republic",
"modified": "2025-01-29T23:03:56.990000",
"created": "2024-12-30T23:57:53.741000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fraevolquez",
"id": "91700",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 58,
"modified_text": "444 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67733387cf721a39ea7cc07b",
"name": "Unnamed group Socradar december 2024 Dominican Republic",
"description": "Unnamed group Socradar december 2024 Dominican Republic",
"modified": "2025-01-29T23:03:56.990000",
"created": "2024-12-30T23:57:59.507000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fraevolquez",
"id": "91700",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 60,
"modified_text": "444 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6773339803fe4b775f7adbbc",
"name": "Unnamed group Socradar december 2024 Dominican Republic",
"description": "Unnamed group Socradar december 2024 Dominican Republic",
"modified": "2025-01-29T23:03:56.990000",
"created": "2024-12-30T23:58:16.590000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fraevolquez",
"id": "91700",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 59,
"modified_text": "444 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a4885e735b9e8ba94805bc",
"name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com",
"description": "",
"modified": "2024-09-05T06:51:42.608000",
"created": "2024-01-15T01:20:30.730000",
"tags": [
"execution",
"whois record",
"contacted",
"ssl certificate",
"whois whois",
"contacted urls",
"copy",
"historical ssl",
"referrer",
"urls url",
"icmp",
"malicious",
"installer",
"problems",
"collections",
"report",
"phishing",
"service tool",
"greatness",
"threat network",
"emotet",
"magniber",
"startpage",
"attack",
"banker",
"keylogger",
"namecheap inc",
"com laude",
"ltd dba",
"cloudflare",
"porkbun llc",
"ii llc",
"csc corporate",
"domains",
"computer",
"company limited",
"first",
"cloudflarenet",
"google",
"amazon02",
"akamaias",
"telecom italia",
"utc submissions",
"microsoftcorpas",
"indonesia",
"beijing gu",
"appleaustin",
"sucurisec",
"amazonaes",
"limited",
"tsara brashears",
"pornhub",
"thebrotherssabey",
"then brothers sabey",
"brian sabey",
"apple",
"icloud",
"apple engineering",
"soc",
"hacker",
"teams",
"malvertizing",
"cyberthreat",
"cyber crime",
"data",
"v3 serial",
"number",
"cgb stgreater",
"ecc domain",
"server ca",
"subject public",
"key info",
"key algorithm",
"ec oid",
"remote",
"remote attacker",
"benjamin",
"worm",
"trojan",
"win32",
"trojanspy",
"ransomware",
"command and control",
"cnc",
"c2",
"stealer",
"password",
"apple unlocker",
"pornographers",
"cyber stalking",
"revenge rat",
"masquerading",
"scanning host",
"phishing",
"dns",
"network",
"cobalt strike",
"mitre attack",
"metro hacker",
"t-mobile hacker",
"stalker",
"social engineering",
"et",
"torrent trecker",
"view",
"duckdns",
"blackhat",
"data center",
"tracking",
"illegal",
"malware scripting",
"malware spreader",
"network rat",
"multiple botnetworks"
],
"references": [
"https://thebrotherssabey.wordpress.com/",
"acam-mdn.apple.com",
"beacons.bcp.gvt.com",
"cpcontacts.webcamara.online",
"http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15",
"http://ti.hicloudcam.com",
"http://alohatube.xyz/search/tsara-brashears",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://search.app.goo.gl/?ofl",
"Worm:Win32/Benjamin",
"FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab",
"FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5",
"FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5",
"applemusic-spotlight.myunidays.com",
"nr-data.net",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4",
"blackhat.store",
"api.telegram.org",
"cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Silk",
"display_name": "Silk",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65a429795adf468b427a3c8b",
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2469,
"URL": 6038,
"FileHash-MD5": 169,
"FileHash-SHA1": 157,
"FileHash-SHA256": 3922,
"CIDR": 2,
"hostname": 2787,
"email": 2,
"CVE": 1
},
"indicator_count": 15547,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "591 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b85faa9b8e3e1206d7f25c",
"name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ",
"description": "",
"modified": "2024-06-15T04:39:29.943000",
"created": "2024-01-30T02:32:10.210000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "659719b77c383c73c05208a9",
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3503,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "673 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65d34c8a64436a7aee2e25a1",
"name": "Locky: File Deletion targeting incriminating archived files.",
"description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.",
"modified": "2024-03-20T12:00:39.809000",
"created": "2024-02-19T12:41:46.707000",
"tags": [
"it consultant",
"uk collection",
"dns intel",
"ips collection",
"suspicous ip",
"whois file",
"cname",
"record type",
"ttl value",
"algorithm",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"key identifier",
"whois lookup",
"region create",
"domain",
"name server",
"registrant name",
"technical city",
"region update",
"united",
"command decode",
"mitre att",
"suricata ipv4",
"windows nt",
"win64",
"khtml",
"gecko",
"ck id",
"cookie",
"meta",
"february",
"hybrid",
"general",
"click",
"strings",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"dns replication",
"code",
"namecheap",
"registrar abuse",
"namecheap inc",
"privacy service",
"withheld",
"privacy",
"dnssec",
"email",
"first",
"bodis",
"unknown",
"creation date",
"search",
"emails",
"as397240",
"date",
"next",
"all octoseek",
"threat roundup",
"january",
"june",
"historical ssl",
"referrer",
"contacted",
"group",
"execution",
"phishing",
"malware",
"core",
"malicious",
"dark power",
"play ransomware",
"pe32",
"intel",
"ms windows",
"win32 dynamic",
"link library",
"win16 ne",
"icons library",
"os2 executable",
"pe32 linker",
"gnu linker",
"compiler",
"info header",
"name md5",
"overlay",
"passive dns",
"entries",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojan",
"location united",
"query",
"activity dns",
"observed dns",
"msie",
"high",
"copy",
"write",
"win32",
"hashes",
"host interaction",
"sabey type",
"hallrender",
"brian sabey",
"memory pattern",
"http requests",
"http method",
"get response",
"dns resolutions",
"ip traffic",
"domains",
"mutex",
"samplepath",
"created",
"shell commands",
"r processes",
"tree",
"analyze",
"hostnames",
"url https",
"samples",
"hostname",
"pattern urls",
"memory",
"pattern",
"pattern domains",
"roundup",
"formbook",
"mirai",
"ben c",
"injection",
"server",
"scan endpoints",
"show",
"august",
"bq feb",
"chrome",
"precondition",
"virtool",
"downloadmr",
"body",
"status",
"servers",
"record value",
"name servers",
"showing",
"mailrubar",
"trojanclicker",
"slcc2",
"media center",
"delete c",
"malware beacon",
"suspicious",
"class",
"internal",
"local",
"encrypt",
"as15169 google",
"gmt cache",
"twitter",
"rostpay",
"date hash",
"avast avg",
"mtb may",
"susp",
"cryp",
"win32upatre may",
"mtb showing",
"lowfi",
"aaaa",
"win32pcmega jan",
"urlshortner dec",
"urlshortner sep",
"as133618",
"nxdomain",
"as133775 xiamen",
"germany unknown",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"whois record",
"ssl certificate",
"tsara brashears",
"resolutions",
"critical risk",
"apple phone",
"unlocker",
"shell code",
"installer",
"ursnif",
"hacktool",
"emotet",
"tracker",
"chaos",
"ransomexx",
"xor ddos",
"xorddos",
"mitre attack",
"parent domain",
"urls url",
"siblings",
"metro",
"communicating",
"collection",
"dropped",
"skynet",
"youth",
"com laude",
"ltd dba",
"utc submissions",
"submitters",
"cloudflarenet",
"akamaias",
"digitaloceanasn",
"csc corporate",
"pt mora",
"univjos",
"etisalat misr",
"acurix networks",
"pty ltd",
"beijing baidu",
"highly targeted",
"http",
"network hijacks",
"redline stealer",
"whois sslcert",
"contacted urls",
"whois whois",
"september",
"hidden cobra",
"threats",
"kimsuky",
"service",
"read c",
"create c",
"write c",
"regsetvalueexa",
"mozilla",
"capture",
"asnone",
"domain http",
"request",
"malware dns",
"lookup wannacry",
"default",
"ransom",
"push",
"playgame",
"command",
"email document",
"exploit domain",
"owner exploit",
"kit exploit",
"source file",
"hacking tools",
"hunting macro",
"malware hosting",
"memory scanning",
"yara detections",
"debug",
"icmp traffic",
"pdb path",
"pe section",
"low software",
"packing t1045",
"ransomware",
"egregor",
"find",
"false",
"psexec",
"powershell",
"qakbot",
"qbot",
"icedid"
],
"references": [
"redhatdelete.com",
"Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}",
"explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe",
"https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60",
"Trojan-Ransom.Win32.Blocker.jgb Checkin",
"https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Australia",
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Trojan-Ransom.Win32.Blocker.jgb Checkin",
"display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin",
"target": null
},
{
"id": "Rostpay",
"display_name": "Rostpay",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "Mitre Attack",
"display_name": "Mitre Attack",
"target": null
},
{
"id": "Chaos (ELF)",
"display_name": "Chaos (ELF)",
"target": null
},
{
"id": "TrojanDropper:Win32/GameHack",
"display_name": "TrojanDropper:Win32/GameHack",
"target": "/malware/TrojanDropper:Win32/GameHack"
},
{
"id": "Win.Ransomware.Locky-7766366-0",
"display_name": "Win.Ransomware.Locky-7766366-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "ALF:E5.SpikeAex.rhh_pid",
"display_name": "ALF:E5.SpikeAex.rhh_pid",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1563",
"name": "Remote Service Session Hijacking",
"display_name": "T1563 - Remote Service Session Hijacking"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 65,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1848,
"FileHash-SHA1": 1783,
"FileHash-SHA256": 7170,
"domain": 1649,
"hostname": 1191,
"email": 9,
"URL": 729,
"CVE": 2,
"SSLCertFingerprint": 2,
"CIDR": 1
},
"indicator_count": 14384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "760 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65d34c91868744aa1449fef2",
"name": "Locky: File Deletion targeting incriminating archived files.",
"description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.",
"modified": "2024-03-20T12:00:39.809000",
"created": "2024-02-19T12:41:52.846000",
"tags": [
"it consultant",
"uk collection",
"dns intel",
"ips collection",
"suspicous ip",
"whois file",
"cname",
"record type",
"ttl value",
"algorithm",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"key identifier",
"whois lookup",
"region create",
"domain",
"name server",
"registrant name",
"technical city",
"region update",
"united",
"command decode",
"mitre att",
"suricata ipv4",
"windows nt",
"win64",
"khtml",
"gecko",
"ck id",
"cookie",
"meta",
"february",
"hybrid",
"general",
"click",
"strings",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"dns replication",
"code",
"namecheap",
"registrar abuse",
"namecheap inc",
"privacy service",
"withheld",
"privacy",
"dnssec",
"email",
"first",
"bodis",
"unknown",
"creation date",
"search",
"emails",
"as397240",
"date",
"next",
"all octoseek",
"threat roundup",
"january",
"june",
"historical ssl",
"referrer",
"contacted",
"group",
"execution",
"phishing",
"malware",
"core",
"malicious",
"dark power",
"play ransomware",
"pe32",
"intel",
"ms windows",
"win32 dynamic",
"link library",
"win16 ne",
"icons library",
"os2 executable",
"pe32 linker",
"gnu linker",
"compiler",
"info header",
"name md5",
"overlay",
"passive dns",
"entries",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojan",
"location united",
"query",
"activity dns",
"observed dns",
"msie",
"high",
"copy",
"write",
"win32",
"hashes",
"host interaction",
"sabey type",
"hallrender",
"brian sabey",
"memory pattern",
"http requests",
"http method",
"get response",
"dns resolutions",
"ip traffic",
"domains",
"mutex",
"samplepath",
"created",
"shell commands",
"r processes",
"tree",
"analyze",
"hostnames",
"url https",
"samples",
"hostname",
"pattern urls",
"memory",
"pattern",
"pattern domains",
"roundup",
"formbook",
"mirai",
"ben c",
"injection",
"server",
"scan endpoints",
"show",
"august",
"bq feb",
"chrome",
"precondition",
"virtool",
"downloadmr",
"body",
"status",
"servers",
"record value",
"name servers",
"showing",
"mailrubar",
"trojanclicker",
"slcc2",
"media center",
"delete c",
"malware beacon",
"suspicious",
"class",
"internal",
"local",
"encrypt",
"as15169 google",
"gmt cache",
"twitter",
"rostpay",
"date hash",
"avast avg",
"mtb may",
"susp",
"cryp",
"win32upatre may",
"mtb showing",
"lowfi",
"aaaa",
"win32pcmega jan",
"urlshortner dec",
"urlshortner sep",
"as133618",
"nxdomain",
"as133775 xiamen",
"germany unknown",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"whois record",
"ssl certificate",
"tsara brashears",
"resolutions",
"critical risk",
"apple phone",
"unlocker",
"shell code",
"installer",
"ursnif",
"hacktool",
"emotet",
"tracker",
"chaos",
"ransomexx",
"xor ddos",
"xorddos",
"mitre attack",
"parent domain",
"urls url",
"siblings",
"metro",
"communicating",
"collection",
"dropped",
"skynet",
"youth",
"com laude",
"ltd dba",
"utc submissions",
"submitters",
"cloudflarenet",
"akamaias",
"digitaloceanasn",
"csc corporate",
"pt mora",
"univjos",
"etisalat misr",
"acurix networks",
"pty ltd",
"beijing baidu",
"highly targeted",
"http",
"network hijacks",
"redline stealer",
"whois sslcert",
"contacted urls",
"whois whois",
"september",
"hidden cobra",
"threats",
"kimsuky",
"service",
"read c",
"create c",
"write c",
"regsetvalueexa",
"mozilla",
"capture",
"asnone",
"domain http",
"request",
"malware dns",
"lookup wannacry",
"default",
"ransom",
"push",
"playgame",
"command",
"email document",
"exploit domain",
"owner exploit",
"kit exploit",
"source file",
"hacking tools",
"hunting macro",
"malware hosting",
"memory scanning",
"yara detections",
"debug",
"icmp traffic",
"pdb path",
"pe section",
"low software",
"packing t1045",
"ransomware",
"egregor",
"find",
"false",
"psexec",
"powershell",
"qakbot",
"qbot",
"icedid"
],
"references": [
"redhatdelete.com",
"Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}",
"explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe",
"https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60",
"Trojan-Ransom.Win32.Blocker.jgb Checkin",
"https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Australia",
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Trojan-Ransom.Win32.Blocker.jgb Checkin",
"display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin",
"target": null
},
{
"id": "Rostpay",
"display_name": "Rostpay",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "Mitre Attack",
"display_name": "Mitre Attack",
"target": null
},
{
"id": "Chaos (ELF)",
"display_name": "Chaos (ELF)",
"target": null
},
{
"id": "TrojanDropper:Win32/GameHack",
"display_name": "TrojanDropper:Win32/GameHack",
"target": "/malware/TrojanDropper:Win32/GameHack"
},
{
"id": "Win.Ransomware.Locky-7766366-0",
"display_name": "Win.Ransomware.Locky-7766366-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "ALF:E5.SpikeAex.rhh_pid",
"display_name": "ALF:E5.SpikeAex.rhh_pid",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1563",
"name": "Remote Service Session Hijacking",
"display_name": "T1563 - Remote Service Session Hijacking"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 57,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1848,
"FileHash-SHA1": 1783,
"FileHash-SHA256": 7170,
"domain": 1649,
"hostname": 1191,
"email": 9,
"URL": 729,
"CVE": 2,
"SSLCertFingerprint": 2,
"CIDR": 1
},
"indicator_count": 14384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "760 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65d3acf32e1088e76165a307",
"name": "Locky: File Deletion targeting incriminating archived files.",
"description": "",
"modified": "2024-03-20T12:00:39.809000",
"created": "2024-02-19T19:33:07.504000",
"tags": [
"it consultant",
"uk collection",
"dns intel",
"ips collection",
"suspicous ip",
"whois file",
"cname",
"record type",
"ttl value",
"algorithm",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"key identifier",
"whois lookup",
"region create",
"domain",
"name server",
"registrant name",
"technical city",
"region update",
"united",
"command decode",
"mitre att",
"suricata ipv4",
"windows nt",
"win64",
"khtml",
"gecko",
"ck id",
"cookie",
"meta",
"february",
"hybrid",
"general",
"click",
"strings",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"dns replication",
"code",
"namecheap",
"registrar abuse",
"namecheap inc",
"privacy service",
"withheld",
"privacy",
"dnssec",
"email",
"first",
"bodis",
"unknown",
"creation date",
"search",
"emails",
"as397240",
"date",
"next",
"all octoseek",
"threat roundup",
"january",
"june",
"historical ssl",
"referrer",
"contacted",
"group",
"execution",
"phishing",
"malware",
"core",
"malicious",
"dark power",
"play ransomware",
"pe32",
"intel",
"ms windows",
"win32 dynamic",
"link library",
"win16 ne",
"icons library",
"os2 executable",
"pe32 linker",
"gnu linker",
"compiler",
"info header",
"name md5",
"overlay",
"passive dns",
"entries",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojan",
"location united",
"query",
"activity dns",
"observed dns",
"msie",
"high",
"copy",
"write",
"win32",
"hashes",
"host interaction",
"sabey type",
"hallrender",
"brian sabey",
"memory pattern",
"http requests",
"http method",
"get response",
"dns resolutions",
"ip traffic",
"domains",
"mutex",
"samplepath",
"created",
"shell commands",
"r processes",
"tree",
"analyze",
"hostnames",
"url https",
"samples",
"hostname",
"pattern urls",
"memory",
"pattern",
"pattern domains",
"roundup",
"formbook",
"mirai",
"ben c",
"injection",
"server",
"scan endpoints",
"show",
"august",
"bq feb",
"chrome",
"precondition",
"virtool",
"downloadmr",
"body",
"status",
"servers",
"record value",
"name servers",
"showing",
"mailrubar",
"trojanclicker",
"slcc2",
"media center",
"delete c",
"malware beacon",
"suspicious",
"class",
"internal",
"local",
"encrypt",
"as15169 google",
"gmt cache",
"twitter",
"rostpay",
"date hash",
"avast avg",
"mtb may",
"susp",
"cryp",
"win32upatre may",
"mtb showing",
"lowfi",
"aaaa",
"win32pcmega jan",
"urlshortner dec",
"urlshortner sep",
"as133618",
"nxdomain",
"as133775 xiamen",
"germany unknown",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"whois record",
"ssl certificate",
"tsara brashears",
"resolutions",
"critical risk",
"apple phone",
"unlocker",
"shell code",
"installer",
"ursnif",
"hacktool",
"emotet",
"tracker",
"chaos",
"ransomexx",
"xor ddos",
"xorddos",
"mitre attack",
"parent domain",
"urls url",
"siblings",
"metro",
"communicating",
"collection",
"dropped",
"skynet",
"youth",
"com laude",
"ltd dba",
"utc submissions",
"submitters",
"cloudflarenet",
"akamaias",
"digitaloceanasn",
"csc corporate",
"pt mora",
"univjos",
"etisalat misr",
"acurix networks",
"pty ltd",
"beijing baidu",
"highly targeted",
"http",
"network hijacks",
"redline stealer",
"whois sslcert",
"contacted urls",
"whois whois",
"september",
"hidden cobra",
"threats",
"kimsuky",
"service",
"read c",
"create c",
"write c",
"regsetvalueexa",
"mozilla",
"capture",
"asnone",
"domain http",
"request",
"malware dns",
"lookup wannacry",
"default",
"ransom",
"push",
"playgame",
"command",
"email document",
"exploit domain",
"owner exploit",
"kit exploit",
"source file",
"hacking tools",
"hunting macro",
"malware hosting",
"memory scanning",
"yara detections",
"debug",
"icmp traffic",
"pdb path",
"pe section",
"low software",
"packing t1045",
"ransomware",
"egregor",
"find",
"false",
"psexec",
"powershell",
"qakbot",
"qbot",
"icedid"
],
"references": [
"redhatdelete.com",
"Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}",
"explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe",
"https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60",
"Trojan-Ransom.Win32.Blocker.jgb Checkin",
"https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Australia",
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Trojan-Ransom.Win32.Blocker.jgb Checkin",
"display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin",
"target": null
},
{
"id": "Rostpay",
"display_name": "Rostpay",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "Mitre Attack",
"display_name": "Mitre Attack",
"target": null
},
{
"id": "Chaos (ELF)",
"display_name": "Chaos (ELF)",
"target": null
},
{
"id": "TrojanDropper:Win32/GameHack",
"display_name": "TrojanDropper:Win32/GameHack",
"target": "/malware/TrojanDropper:Win32/GameHack"
},
{
"id": "Win.Ransomware.Locky-7766366-0",
"display_name": "Win.Ransomware.Locky-7766366-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "ALF:E5.SpikeAex.rhh_pid",
"display_name": "ALF:E5.SpikeAex.rhh_pid",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1563",
"name": "Remote Service Session Hijacking",
"display_name": "T1563 - Remote Service Session Hijacking"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65d34c91868744aa1449fef2",
"export_count": 64,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1848,
"FileHash-SHA1": 1783,
"FileHash-SHA256": 7170,
"domain": 1649,
"hostname": 1191,
"email": 9,
"URL": 729,
"CVE": 2,
"SSLCertFingerprint": 2,
"CIDR": 1
},
"indicator_count": 14384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "760 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65d3c31230455f6d8da3a9f0",
"name": "Locky: File Deletion targeting incriminating archived files II",
"description": "",
"modified": "2024-03-20T12:00:39.809000",
"created": "2024-02-19T21:07:30.887000",
"tags": [
"it consultant",
"uk collection",
"dns intel",
"ips collection",
"suspicous ip",
"whois file",
"cname",
"record type",
"ttl value",
"algorithm",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"key identifier",
"whois lookup",
"region create",
"domain",
"name server",
"registrant name",
"technical city",
"region update",
"united",
"command decode",
"mitre att",
"suricata ipv4",
"windows nt",
"win64",
"khtml",
"gecko",
"ck id",
"cookie",
"meta",
"february",
"hybrid",
"general",
"click",
"strings",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"dns replication",
"code",
"namecheap",
"registrar abuse",
"namecheap inc",
"privacy service",
"withheld",
"privacy",
"dnssec",
"email",
"first",
"bodis",
"unknown",
"creation date",
"search",
"emails",
"as397240",
"date",
"next",
"all octoseek",
"threat roundup",
"january",
"june",
"historical ssl",
"referrer",
"contacted",
"group",
"execution",
"phishing",
"malware",
"core",
"malicious",
"dark power",
"play ransomware",
"pe32",
"intel",
"ms windows",
"win32 dynamic",
"link library",
"win16 ne",
"icons library",
"os2 executable",
"pe32 linker",
"gnu linker",
"compiler",
"info header",
"name md5",
"overlay",
"passive dns",
"entries",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojan",
"location united",
"query",
"activity dns",
"observed dns",
"msie",
"high",
"copy",
"write",
"win32",
"hashes",
"host interaction",
"sabey type",
"hallrender",
"brian sabey",
"memory pattern",
"http requests",
"http method",
"get response",
"dns resolutions",
"ip traffic",
"domains",
"mutex",
"samplepath",
"created",
"shell commands",
"r processes",
"tree",
"analyze",
"hostnames",
"url https",
"samples",
"hostname",
"pattern urls",
"memory",
"pattern",
"pattern domains",
"roundup",
"formbook",
"mirai",
"ben c",
"injection",
"server",
"scan endpoints",
"show",
"august",
"bq feb",
"chrome",
"precondition",
"virtool",
"downloadmr",
"body",
"status",
"servers",
"record value",
"name servers",
"showing",
"mailrubar",
"trojanclicker",
"slcc2",
"media center",
"delete c",
"malware beacon",
"suspicious",
"class",
"internal",
"local",
"encrypt",
"as15169 google",
"gmt cache",
"twitter",
"rostpay",
"date hash",
"avast avg",
"mtb may",
"susp",
"cryp",
"win32upatre may",
"mtb showing",
"lowfi",
"aaaa",
"win32pcmega jan",
"urlshortner dec",
"urlshortner sep",
"as133618",
"nxdomain",
"as133775 xiamen",
"germany unknown",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"whois record",
"ssl certificate",
"tsara brashears",
"resolutions",
"critical risk",
"apple phone",
"unlocker",
"shell code",
"installer",
"ursnif",
"hacktool",
"emotet",
"tracker",
"chaos",
"ransomexx",
"xor ddos",
"xorddos",
"mitre attack",
"parent domain",
"urls url",
"siblings",
"metro",
"communicating",
"collection",
"dropped",
"skynet",
"youth",
"com laude",
"ltd dba",
"utc submissions",
"submitters",
"cloudflarenet",
"akamaias",
"digitaloceanasn",
"csc corporate",
"pt mora",
"univjos",
"etisalat misr",
"acurix networks",
"pty ltd",
"beijing baidu",
"highly targeted",
"http",
"network hijacks",
"redline stealer",
"whois sslcert",
"contacted urls",
"whois whois",
"september",
"hidden cobra",
"threats",
"kimsuky",
"service",
"read c",
"create c",
"write c",
"regsetvalueexa",
"mozilla",
"capture",
"asnone",
"domain http",
"request",
"malware dns",
"lookup wannacry",
"default",
"ransom",
"push",
"playgame",
"command",
"email document",
"exploit domain",
"owner exploit",
"kit exploit",
"source file",
"hacking tools",
"hunting macro",
"malware hosting",
"memory scanning",
"yara detections",
"debug",
"icmp traffic",
"pdb path",
"pe section",
"low software",
"packing t1045",
"ransomware",
"egregor",
"find",
"false",
"psexec",
"powershell",
"qakbot",
"qbot",
"icedid"
],
"references": [
"redhatdelete.com",
"Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}",
"explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe",
"https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60",
"Trojan-Ransom.Win32.Blocker.jgb Checkin",
"https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Australia",
"United States of America"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Trojan-Ransom.Win32.Blocker.jgb Checkin",
"display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin",
"target": null
},
{
"id": "Rostpay",
"display_name": "Rostpay",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "Mitre Attack",
"display_name": "Mitre Attack",
"target": null
},
{
"id": "Chaos (ELF)",
"display_name": "Chaos (ELF)",
"target": null
},
{
"id": "TrojanDropper:Win32/GameHack",
"display_name": "TrojanDropper:Win32/GameHack",
"target": "/malware/TrojanDropper:Win32/GameHack"
},
{
"id": "Win.Ransomware.Locky-7766366-0",
"display_name": "Win.Ransomware.Locky-7766366-0",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "ALF:E5.SpikeAex.rhh_pid",
"display_name": "ALF:E5.SpikeAex.rhh_pid",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1563",
"name": "Remote Service Session Hijacking",
"display_name": "T1563 - Remote Service Session Hijacking"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65d34c8a64436a7aee2e25a1",
"export_count": 73,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Enqrypted",
"id": "272105",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1848,
"FileHash-SHA1": 1783,
"FileHash-SHA256": 7170,
"domain": 1649,
"hostname": 1191,
"email": 9,
"URL": 729,
"CVE": 2,
"SSLCertFingerprint": 2,
"CIDR": 1
},
"indicator_count": 14384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 62,
"modified_text": "760 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb4768b06f4da2fba5959b",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:44.270000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb476d0566c2d07e474df5",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.140000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb476d935dd560b4a3e938",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.380000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cb4772c3d3ad1f7accc98a",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:53.179000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "766 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c96df8fe0657d56a206a49",
"name": "Nokoyawa Ransomware - https://house.mo.gov/",
"description": "Cyber attack including Pegasus found in https://house.mo.gov/\nThis Observed links: dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/Appears to attacking with heightened privilege escalation.\nLinks originated from https://safebae.org attack, various Westlaw links and links attacking a private citizen. HallRender is malware hosting domain featuring an aggressive 'Brian Sabey' representing self as attorney protecting white collar individuals accused of SA is attacker. Boldly contacts victims via mail, email, phone, text, invites, personal invitations to office. \n\nFront facing https://safebae.org, a 'tribute' domain may mention alleged SA victim Daisy Coleman. Research confirms no mention of 'Daisy' safebae is filled with cyber bullying toolkit; ransomware.csv, tracking, westlaw, tagging tools, pornhub, rallypoint, adult malvertizing content targeting a Colorado SA victim. \nIt's all very real but so unbelievable. Malware spreading, cyberthreat",
"modified": "2024-03-13T00:02:54.335000",
"created": "2024-02-12T01:01:44.323000",
"tags": [
"runtime process",
"localappdata",
"size",
"sha256",
"sha1",
"temp",
"prefetch8",
"prefetch1",
"unicode text",
"type data",
"hybrid",
"general",
"click",
"strings",
"contact",
"mitre",
"writes a pe file header to disc",
"show process",
"date",
"document file",
"v2 document",
"ascii text",
"malicious",
"local",
"path",
"found",
"ssl certificate",
"whois record",
"threat roundup",
"contacted",
"october",
"resolutions",
"apple ios",
"referrer",
"communicating",
"execution",
"june",
"august",
"emotet",
"qakbot",
"agent tesla",
"azorult",
"core",
"maze",
"metro",
"dark",
"team",
"critical",
"copy",
"awful",
"ursnif",
"hacktool",
"info",
"qbot",
"april",
"njrat",
"nokoyawa",
"djvu",
"flubot",
"ransomware",
"bandit stealer",
"hallrender",
"spyware",
"safebae",
"tsara brashears",
"westlaw",
"river.rocks",
"brian sabey",
"targeting",
"dnspionage",
"united",
"unknown",
"search",
"aaaa",
"showing",
"domain",
"creation date",
"record value",
"dnssec",
"body",
"passive dns",
"encrypt",
"as14061",
"germany unknown",
"as397240",
"gmt server",
"443 ma2592000",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"main",
"installing",
"as16276",
"france unknown",
"name servers",
"as8075",
"servers",
"next",
"as63949 linode",
"as206834 team",
"canada unknown",
"status",
"as61969 team",
"msie",
"chrome",
"ransom",
"gone",
"title",
"head body",
"malware"
],
"references": [
"\u2193\u2192Found in: https://house.mo.gov/\u2193",
"dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/",
"demo.auth.civicalg.com.sni.cloudflaressl.com",
"happyrabbit.kr [Apple iOS threat]",
"https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz",
"https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022",
"https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639",
"https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join",
"http://nudeteenporn.site"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Nokoyawa Ransomware",
"display_name": "Nokoyawa Ransomware",
"target": null
},
{
"id": "Bandit Stealer",
"display_name": "Bandit Stealer",
"target": null
},
{
"id": "FluBot",
"display_name": "FluBot",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "QBot",
"display_name": "QBot",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "AZORult",
"display_name": "AZORult",
"target": null
},
{
"id": "Djvu",
"display_name": "Djvu",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Maze",
"display_name": "Maze",
"target": null
},
{
"id": "Dark",
"display_name": "Dark",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1065",
"name": "Uncommonly Used Port",
"display_name": "T1065 - Uncommonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 194,
"FileHash-SHA1": 191,
"FileHash-SHA256": 2376,
"domain": 1414,
"URL": 4388,
"hostname": 1699,
"CVE": 4,
"email": 5
},
"indicator_count": 10271,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "767 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c7b86fa120d19bbc88f367",
"name": "Hijacker",
"description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.",
"modified": "2024-03-11T17:01:59.026000",
"created": "2024-02-10T17:54:55.243000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"tsara brashears",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"high level",
"hackers",
"hacktool",
"download",
"malware",
"crypto",
"hijacker",
"monitoring",
"installer",
"tofsee",
"domains domains",
"domains files",
"files files",
"script",
"kgs0",
"kls0",
"relic",
"iframe",
"pe32 executable",
"ms windows",
"intel",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"rticon neutral",
"info compiler",
"products id",
"header intel",
"name md5",
"contained",
"type",
"language",
"ico rtgroupicon",
"neutral",
"first",
"utc submissions",
"submitters",
"company limited",
"computer",
"amazonaes",
"china telecom",
"group",
"csc corporate",
"domains",
"malware spreading evader",
"cnc",
"malvertizing",
"milehighmedia",
"trojandropper",
"moved",
"passive dns",
"urls",
"as14576",
"backdoor",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"trojan",
"encrypt",
"body",
"date",
"date hash",
"avast avg",
"mtb may",
"kratona",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"urls https",
"script urls",
"united",
"meta",
"unknown",
"emails",
"name servers",
"search",
"as62597 nsone",
"a domains",
"as397241",
"media",
"next",
"december",
"unlocker",
"threat round",
"apple ios",
"apple phone",
"project",
"blister",
"agent tesla",
"open",
"execution",
"videos",
"strong",
"porn videos",
"watch",
"daddy",
"free",
"top rated",
"most viewed",
"cancel anytime",
"views",
"play",
"black",
"enjoy",
"czech",
"hunk",
"virtool",
"cryp",
"creation date",
"otx telemetry",
"expiration date",
"servers",
"status",
"win32",
"showing",
"domain",
"nxdomain",
"as8075",
"shell code",
"threat",
"cyber espionage",
"cyber stalking",
"danger",
"critical",
"attack",
"treats",
"as15169 google",
"aaaa",
"record value",
"error",
"entries",
"hostname",
"url http",
"http",
"files domain",
"files related",
"shinjiru msc",
"sdn bhd",
"dnssec",
"protect",
"as54455 madeit",
"phishing",
"backdoor",
"contextualizing",
"elevated exposure",
"malvertizing",
"ransom",
"msil",
"hackers for hire",
"hashes",
"http method",
"get http",
"http requests",
"get dns",
"ip traffic",
"memory pattern",
"pattern ips",
"@emreimer",
"iextract2",
"cp cyber",
"denver",
"security",
"siem compliance",
"skip",
"cybersecurity",
"larimer st",
"suite",
"resources cyber",
"risk assessment",
"bill",
"mind",
"delaware",
"pa",
"arizona",
"colorado",
"stalkers",
"deuteronomy 28:7",
"hitmen"
],
"references": [
"honey.exe",
"0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550",
"CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community",
"CS Sigma Rules: Python Initiated Connection by frack113",
"CS Sigma Rules: Use Remove-Item to Delete File by frack113",
"CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)",
"Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+",
"api.login.live.com",
"http://appleid.icloud.com-website33.org/",
"https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]",
"FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]",
"http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]",
"message.htm.com",
"http://pornhub.com/gay/video/search",
"CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111",
"stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "W32.Sality.PE",
"display_name": "W32.Sality.PE",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Virus.Win32.Virut.q",
"display_name": "Virus.Win32.Virut.q",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "TrojanDropper:Win32",
"display_name": "TrojanDropper:Win32",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 54,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6303,
"FileHash-MD5": 215,
"FileHash-SHA1": 192,
"FileHash-SHA256": 2663,
"domain": 2673,
"hostname": 2686,
"CVE": 2,
"email": 16
},
"indicator_count": 14750,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "769 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c607c354336e9c19aa3e1f",
"name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio",
"description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.",
"modified": "2024-03-10T11:05:48.248000",
"created": "2024-02-09T11:08:51.939000",
"tags": [
"url http",
"united",
"unknown",
"search",
"status",
"creation date",
"date",
"expiration date",
"showing",
"as201682 liquid",
"as32244 liquid",
"trojan",
"passive dns",
"entries",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"open",
"win32",
"body",
"date hash",
"avast avg",
"lowfi",
"ssl certificate",
"contacted",
"whois whois",
"sdhyzbh7v http",
"whois record",
"execution",
"apple ios",
"historical ssl",
"resolutions",
"sdhyzbh7v",
"attack",
"ransomexx",
"quasar",
"asyncrat",
"hacktool",
"maze",
"find",
"hell",
"crypto",
"remcosrat",
"worm",
"first",
"utc submissions",
"submitters",
"computer",
"company limited",
"gandi sas",
"porkbun llc",
"ovh sas",
"summary iocs",
"graph community",
"as63949 linode",
"for privacy",
"asnone united",
"as174 cogent",
"as197695 domain",
"russia unknown",
"as16276",
"france unknown",
"encrypt",
"next",
"tsara brashears",
"targeting",
"cyber threat",
"abuse",
"malware spreading",
"hallgrand",
"tulach",
"sabey data centers",
"sav.com",
"outbreak",
"location united",
"asn as63949",
"whois registrar",
"related tags",
"interfacing",
"malicious",
"retaliation",
"botnet",
"porn",
"teen porn",
"illegal activities",
"theft",
"side3studios"
],
"references": [
"http://mobilesmafia.com/applications/botnet.ex",
"Found in: https://Side3.com/",
"CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244",
"https://otx.alienvault.com/indicator/domain/findmy-apple.support",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]",
"nr-data.net [Apple Private Data Collection]",
"WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?",
"/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=",
"http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]",
"pornhub.org",
"ww12.indianpornxxxtube.com",
"youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:Inject-BCL\\ [Trj]",
"display_name": "Win32:Inject-BCL\\ [Trj]",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Trj]",
"display_name": "Win32:Evo-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Mbrlock-9779766-0",
"display_name": "Win.Trojan.Mbrlock-9779766-0",
"target": null
},
{
"id": "Win.Trojan.Agent-828507",
"display_name": "Win.Trojan.Agent-828507",
"target": null
},
{
"id": "SHeur4.CEOO",
"display_name": "SHeur4.CEOO",
"target": null
},
{
"id": "Win32/Cryptor",
"display_name": "Win32/Cryptor",
"target": null
},
{
"id": "Win32/Tanatos.A",
"display_name": "Win32/Tanatos.A",
"target": null
},
{
"id": "W32.Sality-73",
"display_name": "W32.Sality-73",
"target": null
},
{
"id": "Generic_r.BYW",
"display_name": "Generic_r.BYW",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Trojan:Win32/RemcosRAT",
"display_name": "Trojan:Win32/RemcosRAT",
"target": "/malware/Trojan:Win32/RemcosRAT"
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [
"Entertainment",
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 71387,
"domain": 8768,
"hostname": 17727,
"email": 16,
"FileHash-MD5": 195,
"FileHash-SHA1": 168,
"FileHash-SHA256": 15313,
"CVE": 9,
"CIDR": 7
},
"indicator_count": 113590,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "770 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c4a099f6a2c8fc2bb85d4b",
"name": "Cyber espionage & ransomware attacks Denver Recording Studio",
"description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.",
"modified": "2024-03-09T09:02:09.950000",
"created": "2024-02-08T09:36:25.114000",
"tags": [
"ssl certificate",
"contacted",
"historical ssl",
"february",
"referrer",
"threat roundup",
"apple ios",
"goldfinder",
"sibot",
"goldmax",
"hacktool",
"malicious",
"formbook",
"contacted urls",
"resolutions",
"malware",
"njrat",
"ransomware",
"open",
"cyber criminal",
"record type",
"ttl value",
"dropped",
"execution",
"hashes hashes",
"hashes",
"network",
"communicating",
"maui ransomware",
"type name",
"jpeg",
"ms word",
"document",
"whois record",
"january",
"october",
"december",
"april",
"august",
"crypto",
"awful",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"self",
"march",
"urls http",
"threat network",
"problems",
"whois whois",
"probe",
"startpage",
"premium",
"snatch",
"first",
"utc submissions",
"submitters",
"cloudflarenet",
"gvb gelimed",
"com laude",
"mb super",
"optimizer",
"amazonaes",
"summary iocs",
"twitter",
"united",
"as20940",
"aaaa",
"as714 apple",
"as16625 akamai",
"win32mydoom feb",
"name servers",
"trojan",
"as6185 apple",
"creation date",
"virtool",
"worm",
"date",
"win32",
"urls",
"search",
"servers",
"targeting",
"target",
"tsara brashears",
"united kingdom",
"whitelisted",
"as6453 tata",
"passive dns",
"domain",
"as46606",
"scan endpoints",
"all search",
"otx octoseek",
"pulse submit",
"url analysis",
"as54113",
"entries",
"moved",
"body",
"unknown",
"found",
"files",
"backdoor",
"expiration date",
"hallrender",
"tulach",
"all octoseek",
"url http",
"pulse pulses",
"http",
"related pulses",
"none related",
"tags none",
"file type",
"as62597 nsone",
"as62729",
"showing",
"next",
"as2914 ntt",
"ireland unknown",
"germany unknown",
"as6461 zayo",
"as7843 charter",
"as3257 gtt",
"ip address",
"location united",
"for privacy",
"record value",
"as54990",
"bouvet island",
"encrypt",
"show",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"june",
"copy",
"as15169 google",
"domains ii",
"sality",
"ck id",
"ck matrix",
"intellectual property theft",
"malicious file transfers",
"scheme",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"urls url",
"j490s6lkpppw",
"lfqprnkje8dni0"
],
"references": [
"https://side3.com/",
"https://www.side3.com",
"http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]",
"http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]",
"http://fillmark.net/index.php [phishing]",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"www-temp.metrobyt-mobile.com [malicious | data collection]",
"www.icloud.com [wp-login.php]",
"webdisk.thehomemakers.nl [spyware | tracking]",
"https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]",
"URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org",
"cs9.wac.phicdn.net.1.1.e64a8639.roksit.net",
"www.anyxxxtube.net [malicious data collection]",
"s3.amazonaws.com [targeting data collection]",
"https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]",
"api.utah.edu [access apple]",
"https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]",
"tv.apple.com",
"104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]",
"andrewka6.pythonanywhere.com [python connection - apple]",
"http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma",
"https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign",
"sonymobilemail.com",
"https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf",
"pegahpouraseflaw.info",
"http://mouthgrave.net/index.php",
"ransomed.vc",
"Intellectual property accessed and distributed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Cyber Criminal",
"display_name": "Cyber Criminal",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax",
"display_name": "GoldMax",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
}
],
"attack_ids": [
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1215",
"name": "Kernel Modules and Extensions",
"display_name": "T1215 - Kernel Modules and Extensions"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027.002",
"name": "Software Packing",
"display_name": "T1027.002 - Software Packing"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Entertainment",
"Technology",
"Telecommunications",
"Recording Industry",
"Entertainers",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 49,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5271,
"FileHash-MD5": 899,
"FileHash-SHA1": 881,
"FileHash-SHA256": 5609,
"domain": 2199,
"hostname": 3205,
"CVE": 1,
"email": 9
},
"indicator_count": 18074,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "771 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c4a1c74cf5f1af5be6464e",
"name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t",
"description": "",
"modified": "2024-03-09T09:02:09.950000",
"created": "2024-02-08T09:41:27.252000",
"tags": [
"ssl certificate",
"contacted",
"historical ssl",
"february",
"referrer",
"threat roundup",
"apple ios",
"goldfinder",
"sibot",
"goldmax",
"hacktool",
"malicious",
"formbook",
"contacted urls",
"resolutions",
"malware",
"njrat",
"ransomware",
"open",
"cyber criminal",
"record type",
"ttl value",
"dropped",
"execution",
"hashes hashes",
"hashes",
"network",
"communicating",
"maui ransomware",
"type name",
"jpeg",
"ms word",
"document",
"whois record",
"january",
"october",
"december",
"april",
"august",
"crypto",
"awful",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"self",
"march",
"urls http",
"threat network",
"problems",
"whois whois",
"probe",
"startpage",
"premium",
"snatch",
"first",
"utc submissions",
"submitters",
"cloudflarenet",
"gvb gelimed",
"com laude",
"mb super",
"optimizer",
"amazonaes",
"summary iocs",
"twitter",
"united",
"as20940",
"aaaa",
"as714 apple",
"as16625 akamai",
"win32mydoom feb",
"name servers",
"trojan",
"as6185 apple",
"creation date",
"virtool",
"worm",
"date",
"win32",
"urls",
"search",
"servers",
"targeting",
"target",
"tsara brashears",
"united kingdom",
"whitelisted",
"as6453 tata",
"passive dns",
"domain",
"as46606",
"scan endpoints",
"all search",
"otx octoseek",
"pulse submit",
"url analysis",
"as54113",
"entries",
"moved",
"body",
"unknown",
"found",
"files",
"backdoor",
"expiration date",
"hallrender",
"tulach",
"all octoseek",
"url http",
"pulse pulses",
"http",
"related pulses",
"none related",
"tags none",
"file type",
"as62597 nsone",
"as62729",
"showing",
"next",
"as2914 ntt",
"ireland unknown",
"germany unknown",
"as6461 zayo",
"as7843 charter",
"as3257 gtt",
"ip address",
"location united",
"for privacy",
"record value",
"as54990",
"bouvet island",
"encrypt",
"show",
"filehash",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"june",
"copy",
"as15169 google",
"domains ii",
"sality",
"ck id",
"ck matrix",
"intellectual property theft",
"malicious file transfers",
"scheme",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"urls url",
"j490s6lkpppw",
"lfqprnkje8dni0"
],
"references": [
"https://side3.com/",
"https://www.side3.com",
"http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]",
"http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]",
"http://fillmark.net/index.php [phishing]",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"www-temp.metrobyt-mobile.com [malicious | data collection]",
"www.icloud.com [wp-login.php]",
"webdisk.thehomemakers.nl [spyware | tracking]",
"https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]",
"URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org",
"cs9.wac.phicdn.net.1.1.e64a8639.roksit.net",
"www.anyxxxtube.net [malicious data collection]",
"s3.amazonaws.com [targeting data collection]",
"https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]",
"api.utah.edu [access apple]",
"https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]",
"tv.apple.com",
"104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]",
"andrewka6.pythonanywhere.com [python connection - apple]",
"http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma",
"https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign",
"sonymobilemail.com",
"https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf",
"pegahpouraseflaw.info",
"http://mouthgrave.net/index.php",
"ransomed.vc",
"Intellectual property accessed and distributed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Cyber Criminal",
"display_name": "Cyber Criminal",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "GoldFinder",
"display_name": "GoldFinder",
"target": null
},
{
"id": "GoldMax",
"display_name": "GoldMax",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Sibot",
"display_name": "Sibot",
"target": null
},
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
}
],
"attack_ids": [
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1215",
"name": "Kernel Modules and Extensions",
"display_name": "T1215 - Kernel Modules and Extensions"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1027.002",
"name": "Software Packing",
"display_name": "T1027.002 - Software Packing"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Entertainment",
"Technology",
"Telecommunications",
"Recording Industry",
"Entertainers",
"Civil Society"
],
"TLP": "white",
"cloned_from": "65c4a099f6a2c8fc2bb85d4b",
"export_count": 44,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5271,
"FileHash-MD5": 899,
"FileHash-SHA1": 881,
"FileHash-SHA256": 5609,
"domain": 2199,
"hostname": 3205,
"CVE": 1,
"email": 9
},
"indicator_count": 18074,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "771 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c3bd803f15cd94aab6e287",
"name": "Lumma Stealer | Colorado Medical Center HCA",
"description": "Needs further investigation. Miscellaneous attack affecting Denver physicians directory. Visitors accessing the page using insecure devices may be affected. PII & PHI breached. Monitoring.",
"modified": "2024-03-08T17:04:03.644000",
"created": "2024-02-07T17:27:28.349000",
"tags": [
"whois record",
"ssl certificate",
"contacted",
"historical ssl",
"referrer",
"execution",
"resolutions",
"problems",
"siblings domain",
"whois whois",
"startpage",
"httponly",
"samesitenone",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"language",
"html document",
"unicode text",
"utf8 text",
"doctype",
"anchor hrefs",
"hrefs",
"denver",
"tsara brashears",
"apple ios",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"contacted urls",
"hacktool",
"malicious",
"download",
"malware",
"relic",
"monitoring",
"domains",
"eurodns sa",
"markmonitor",
"ip detections",
"country",
"graph",
"https",
"mitre att",
"ta0007 network",
"t1046 sends",
"ssdp",
"command",
"control ta0011",
"protocol t1071",
"performs dns",
"layer protocol",
"number",
"cus cndigicert",
"ja3s",
"subject",
"sha2 secure",
"server ca",
"odigicert inc",
"cus cnmicrosoft",
"algorithm",
"memory pattern",
"file system",
"registry",
"registry keys",
"process",
"created",
"processes tree",
"february",
"healthone",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"url https",
"reverse dns",
"general full",
"security tls",
"protocol h2",
"software",
"frankfurt",
"main",
"germany",
"resource hash",
"de indicators",
"hashes",
"value",
"scriptsrcelem",
"variables",
"boomrmq string",
"boomrapikey",
"boomr function",
"system",
"babelpolyfill",
"assign function",
"windows nt",
"win64",
"khtml",
"gecko",
"aes256gcm",
"level",
"akamaiasn1",
"europeberlin",
"generic malware",
"tag count",
"tue dec",
"threat report",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"root ca",
"pattern match",
"authority",
"span",
"presbyterianst",
"luke",
"medical center",
"class",
"accept",
"date",
"refresh",
"blood",
"liver cancer",
"breast cancer",
"lung cancer",
"kidney cancer",
"skin cancer",
"sarcoma",
"prostate cancer",
"body",
"facebook",
"twitter",
"hybrid",
"general",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"cookie",
"command and control",
"mitre",
"scanning host",
"exploit source",
"trojan",
"callback function",
"targets",
"targeting",
"samesite=none",
"kde",
"konqueror",
"phi",
"pii",
"wTJh.exe",
"malware ransom trojan evader rat",
"network",
"rat trojan",
"relacionada",
"critical risk",
"cyberstalking",
"elf collection",
"matches rule",
"emotet",
"lockbit",
"critical",
"copy",
"installer",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"ursnif",
"core",
"as55688 pt",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"asn as55688",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"united",
"aaaa",
"unknown",
"a domains",
"search",
"creation date",
"record value",
"next",
"pornhub",
"anyxxxtube",
"domain",
"gandi sas",
"hostname",
"basic",
"pe32",
"intel",
"ms windows",
"generic windos",
"executable",
"dos executable",
"generic",
"pe32 packer",
"petite",
"vs98",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"rticon neutral",
"overlay",
"dos exe",
"threat roundup",
"pe resource",
"june",
"lumma stealer",
"ransomexx",
"azorult",
"njrat",
"open",
"problem",
"plugx",
"android",
"sex_phot.jpg.exe",
"win32 dynamic",
"link library",
"win16 ne",
"delphi generic",
"icons library",
"pe32 linker",
"lcc linker",
"empty hash",
"tulach",
"sabey",
"rat",
"remote",
"remote access trojan"
],
"references": [
"https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians",
"https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea",
"www2.megawebfind.com [command and control]",
"http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing]",
"20.99.186.246 [exploit source]",
"https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic]",
"Win32:RATX-gen [Trj] identified.",
"CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)",
"CS Sigma Rules: Disable UAC Using Registry by frack113",
"http://45.159.189.105/bot/regex [ tracking | botnet]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems]",
"0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"Remote Access Trojan"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Indonesia",
"United States of America"
],
"malware_families": [
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Win32:RATX-gen [Trj]",
"display_name": "Win32:RATX-gen [Trj]",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "W32/Hupigon.NCU",
"display_name": "W32/Hupigon.NCU",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Wiper",
"display_name": "Wiper",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
}
],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Healthcare",
"Civil Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 68,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 883,
"URL": 1412,
"FileHash-MD5": 283,
"FileHash-SHA1": 231,
"FileHash-SHA256": 2909,
"domain": 824,
"email": 3,
"CVE": 3
},
"indicator_count": 6548,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "772 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c1cdc5d695c35205593bde",
"name": "https://callback.mobileboost.me",
"description": "cobalt strike cnc, malware, network, execution, antivm_queries_computername, tulach, schema abuse, callback, contact, malicious, boost mobile, t-mobile, targets,Tsara, brashears, cyber threat, hacking, sabey, data center, cyber, cp",
"modified": "2024-03-07T05:01:03.052000",
"created": "2024-02-06T06:12:21.372000",
"tags": [
"passive dns",
"urls",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"files",
"domain",
"files ip",
"address domain",
"url https",
"http",
"files domain",
"files related",
"cname",
"united",
"unknown",
"nxdomain",
"a nxdomain",
"ssl certificate",
"contacted",
"whois record",
"resolutions",
"whois whois",
"historical ssl",
"referrer",
"problems",
"execution",
"subdomains",
"startpage",
"simda",
"first",
"utc submissions",
"submitters",
"psiusa",
"domain robot",
"csc corporate",
"domains",
"tucows",
"ltd dba",
"com laude",
"twitter",
"indonesia",
"installer",
"kgs0",
"kls0",
"redlinestealer",
"kangen",
"china telecom",
"group",
"computer",
"company limited",
"summary iocs",
"malware",
"network",
"obz4usfn0 http",
"contacted urls",
"gootloader",
"iframe",
"stus",
"cnus",
"regsetvalueexa",
"cobalt strike",
"search",
"regdword",
"ssl cert",
"tlsv1 apr",
"cobaltstrike",
"trojan",
"copy",
"write",
"june",
"win64",
"porkbun llc",
"mb opera",
"china unicom",
"tmobileas21928",
"graph community",
"china education",
"center",
"showing",
"entries"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1874,
"hostname": 2812,
"URL": 8308,
"FileHash-SHA256": 5549,
"FileHash-MD5": 364,
"FileHash-SHA1": 326,
"email": 3,
"SSLCertFingerprint": 1
},
"indicator_count": 19237,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "773 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c012b5e56cc9474ebb701f",
"name": "Cyber espionage & Ransomware attacks spread via Phone calls",
"description": "Very strange and critical occurrences of businesses, healthcare facilities and individuals becoming part of a botnet and hacking attack when call connects with certain individuals. Healthcare facilities may be spreading this very critical vulnerability. Attacker has access to every device & camera of affected.\n*Smoke Loader\nSmoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.",
"modified": "2024-03-05T22:00:26.685000",
"created": "2024-02-04T22:41:55.432000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"execution",
"historical ssl",
"contacted urls",
"whois whois",
"zfglddkl58a url",
"q0gpyr1balpdgpo",
"relacionada",
"formbook",
"smoke loader",
"iframe",
"january",
"resolutions",
"referrer",
"threat roundup",
"snatch",
"ransomware",
"hacktool",
"record type",
"ttl value",
"tsara brashears",
"apple",
"apple ios",
"password bypass",
"malware",
"password",
"apple phone",
"download",
"crypto",
"relic",
"monitoring",
"installer",
"tofsee",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"communicating",
"el0kpmhlfz",
"qdkxgr24yz",
"kgs0",
"kls0",
"malicious",
"phi",
"pii",
"dofoil",
"worn",
"rat",
"network",
"dns",
"trojan",
"remote",
"phone hacking",
"hacked by phone call",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"nginx",
"html info",
"information",
"meta tags",
"network",
"march",
"july",
"september",
"february",
"redline stealer",
"probe",
"raccoonstealer",
"no data",
"tag count",
"thu apr",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"asyncrat",
"redlinestealer",
"diamondfox",
"first",
"botnet command and control",
"python connection",
"tulach"
],
"references": [
"https://www.crccolorado.com/dr-adam-sang",
"CS IDS Rules: MALWARE Possible Compromised Host",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst",
"http://www.defi-realty.com/jem9/ [phishing]",
"http://45.159.189.105/bot/regex [phishing | tracking]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
"https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/",
"https://attack.mitre.org/software/S0226/",
"http://watchhers.net/index.php. [ data collection]",
"remotewd.com",
"https://remote.krogerlaw.com",
"device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com",
"www.pornhub.com [password decryption]",
"www.supernetforme.com [CnC]",
"ddos.dnsnb8.net [CnC]",
"http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743",
"http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs",
"https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]",
"https://us-bankofamerica.com/PhoneVerification.php/",
"http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]",
"http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip",
"http://iphones.email [redirection chain]",
"*Patient PII & PHI at critical risk"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Smoke Loader",
"display_name": "Smoke Loader",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Razy",
"display_name": "Razy",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "DangerousObject.Multi",
"display_name": "DangerousObject.Multi",
"target": null
},
{
"id": "Trojan.Injector",
"display_name": "Trojan.Injector",
"target": null
},
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "Defacement",
"display_name": "Defacement",
"target": null
}
],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1547.001 - Registry Run Keys / Startup Folder"
},
{
"id": "T1555.003",
"name": "Credentials from Web Browsers",
"display_name": "T1555.003 - Credentials from Web Browsers"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1552.001",
"name": "Credentials In Files",
"display_name": "T1552.001 - Credentials In Files"
},
{
"id": "T1497.001",
"name": "System Checks",
"display_name": "T1497.001 - System Checks"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1059.006",
"name": "Python",
"display_name": "T1059.006 - Python"
},
{
"id": "T1059.005",
"name": "Visual Basic",
"display_name": "T1059.005 - Visual Basic"
}
],
"industries": [
"Healthcare",
"Civil Society",
"Patients"
],
"TLP": "white",
"cloned_from": null,
"export_count": 62,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 244,
"FileHash-SHA1": 237,
"FileHash-SHA256": 5468,
"URL": 3747,
"domain": 2512,
"hostname": 1593,
"CVE": 4
},
"indicator_count": 13805,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "775 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c09e487b3899f3442aed96",
"name": "Cyber espionage & Ransomware attacks spread via Phone call?",
"description": "",
"modified": "2024-03-05T22:00:26.685000",
"created": "2024-02-05T08:37:28.774000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"execution",
"historical ssl",
"contacted urls",
"whois whois",
"zfglddkl58a url",
"q0gpyr1balpdgpo",
"relacionada",
"formbook",
"smoke loader",
"iframe",
"january",
"resolutions",
"referrer",
"threat roundup",
"snatch",
"ransomware",
"hacktool",
"record type",
"ttl value",
"tsara brashears",
"apple",
"apple ios",
"password bypass",
"malware",
"password",
"apple phone",
"download",
"crypto",
"relic",
"monitoring",
"installer",
"tofsee",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"communicating",
"el0kpmhlfz",
"qdkxgr24yz",
"kgs0",
"kls0",
"malicious",
"phi",
"pii",
"dofoil",
"worn",
"rat",
"network",
"dns",
"trojan",
"remote",
"phone hacking",
"hacked by phone call",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"nginx",
"html info",
"information",
"meta tags",
"network",
"march",
"july",
"september",
"february",
"redline stealer",
"probe",
"raccoonstealer",
"no data",
"tag count",
"thu apr",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"asyncrat",
"redlinestealer",
"diamondfox",
"first",
"botnet command and control",
"python connection",
"tulach"
],
"references": [
"https://www.crccolorado.com/dr-adam-sang",
"CS IDS Rules: MALWARE Possible Compromised Host",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst",
"http://www.defi-realty.com/jem9/ [phishing]",
"http://45.159.189.105/bot/regex [phishing | tracking]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
"https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/",
"https://attack.mitre.org/software/S0226/",
"http://watchhers.net/index.php. [ data collection]",
"remotewd.com",
"https://remote.krogerlaw.com",
"device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com",
"www.pornhub.com [password decryption]",
"www.supernetforme.com [CnC]",
"ddos.dnsnb8.net [CnC]",
"http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743",
"http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs",
"https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]",
"https://us-bankofamerica.com/PhoneVerification.php/",
"http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]",
"http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip",
"http://iphones.email [redirection chain]",
"*Patient PII & PHI at critical risk"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Smoke Loader",
"display_name": "Smoke Loader",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Razy",
"display_name": "Razy",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "DangerousObject.Multi",
"display_name": "DangerousObject.Multi",
"target": null
},
{
"id": "Trojan.Injector",
"display_name": "Trojan.Injector",
"target": null
},
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "Defacement",
"display_name": "Defacement",
"target": null
}
],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1547.001 - Registry Run Keys / Startup Folder"
},
{
"id": "T1555.003",
"name": "Credentials from Web Browsers",
"display_name": "T1555.003 - Credentials from Web Browsers"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1552.001",
"name": "Credentials In Files",
"display_name": "T1552.001 - Credentials In Files"
},
{
"id": "T1497.001",
"name": "System Checks",
"display_name": "T1497.001 - System Checks"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1059.006",
"name": "Python",
"display_name": "T1059.006 - Python"
},
{
"id": "T1059.005",
"name": "Visual Basic",
"display_name": "T1059.005 - Visual Basic"
}
],
"industries": [
"Healthcare",
"Civil Society",
"Patients"
],
"TLP": "white",
"cloned_from": "65c012b5e56cc9474ebb701f",
"export_count": 58,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 244,
"FileHash-SHA1": 237,
"FileHash-SHA256": 5468,
"URL": 3747,
"domain": 2512,
"hostname": 1593,
"CVE": 4
},
"indicator_count": 13805,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "775 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c970ef974adf44ef24c9a2",
"name": "Cyber espionage & Ransomware attacks spread via Phone call?",
"description": "",
"modified": "2024-03-05T22:00:26.685000",
"created": "2024-02-12T01:14:23.337000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"execution",
"historical ssl",
"contacted urls",
"whois whois",
"zfglddkl58a url",
"q0gpyr1balpdgpo",
"relacionada",
"formbook",
"smoke loader",
"iframe",
"january",
"resolutions",
"referrer",
"threat roundup",
"snatch",
"ransomware",
"hacktool",
"record type",
"ttl value",
"tsara brashears",
"apple",
"apple ios",
"password bypass",
"malware",
"password",
"apple phone",
"download",
"crypto",
"relic",
"monitoring",
"installer",
"tofsee",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"communicating",
"el0kpmhlfz",
"qdkxgr24yz",
"kgs0",
"kls0",
"malicious",
"phi",
"pii",
"dofoil",
"worn",
"rat",
"network",
"dns",
"trojan",
"remote",
"phone hacking",
"hacked by phone call",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"nginx",
"html info",
"information",
"meta tags",
"network",
"march",
"july",
"september",
"february",
"redline stealer",
"probe",
"raccoonstealer",
"no data",
"tag count",
"thu apr",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"asyncrat",
"redlinestealer",
"diamondfox",
"first",
"botnet command and control",
"python connection",
"tulach"
],
"references": [
"https://www.crccolorado.com/dr-adam-sang",
"CS IDS Rules: MALWARE Possible Compromised Host",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst",
"http://www.defi-realty.com/jem9/ [phishing]",
"http://45.159.189.105/bot/regex [phishing | tracking]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
"https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/",
"https://attack.mitre.org/software/S0226/",
"http://watchhers.net/index.php. [ data collection]",
"remotewd.com",
"https://remote.krogerlaw.com",
"device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com",
"www.pornhub.com [password decryption]",
"www.supernetforme.com [CnC]",
"ddos.dnsnb8.net [CnC]",
"http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743",
"http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs",
"https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]",
"https://us-bankofamerica.com/PhoneVerification.php/",
"http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]",
"http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip",
"http://iphones.email [redirection chain]",
"*Patient PII & PHI at critical risk"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Smoke Loader",
"display_name": "Smoke Loader",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Razy",
"display_name": "Razy",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "DangerousObject.Multi",
"display_name": "DangerousObject.Multi",
"target": null
},
{
"id": "Trojan.Injector",
"display_name": "Trojan.Injector",
"target": null
},
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "Defacement",
"display_name": "Defacement",
"target": null
}
],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1547.001 - Registry Run Keys / Startup Folder"
},
{
"id": "T1555.003",
"name": "Credentials from Web Browsers",
"display_name": "T1555.003 - Credentials from Web Browsers"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1552.001",
"name": "Credentials In Files",
"display_name": "T1552.001 - Credentials In Files"
},
{
"id": "T1497.001",
"name": "System Checks",
"display_name": "T1497.001 - System Checks"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1059.006",
"name": "Python",
"display_name": "T1059.006 - Python"
},
{
"id": "T1059.005",
"name": "Visual Basic",
"display_name": "T1059.005 - Visual Basic"
}
],
"industries": [
"Healthcare",
"Civil Society",
"Patients"
],
"TLP": "white",
"cloned_from": "65c09e487b3899f3442aed96",
"export_count": 65,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 244,
"FileHash-SHA1": 237,
"FileHash-SHA256": 5468,
"URL": 3747,
"domain": 2512,
"hostname": 1593,
"CVE": 4
},
"indicator_count": 13805,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "775 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65e1ece3b935bda6b9d3e10b",
"name": "Cyber espionage & Ransomware attacks spread via Phone call? II.",
"description": "",
"modified": "2024-03-05T22:00:26.685000",
"created": "2024-03-01T14:57:39.828000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"execution",
"historical ssl",
"contacted urls",
"whois whois",
"zfglddkl58a url",
"q0gpyr1balpdgpo",
"relacionada",
"formbook",
"smoke loader",
"iframe",
"january",
"resolutions",
"referrer",
"threat roundup",
"snatch",
"ransomware",
"hacktool",
"record type",
"ttl value",
"tsara brashears",
"apple",
"apple ios",
"password bypass",
"malware",
"password",
"apple phone",
"download",
"crypto",
"relic",
"monitoring",
"installer",
"tofsee",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"communicating",
"el0kpmhlfz",
"qdkxgr24yz",
"kgs0",
"kls0",
"malicious",
"phi",
"pii",
"dofoil",
"worn",
"rat",
"network",
"dns",
"trojan",
"remote",
"phone hacking",
"hacked by phone call",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"nginx",
"html info",
"information",
"meta tags",
"network",
"march",
"july",
"september",
"february",
"redline stealer",
"probe",
"raccoonstealer",
"no data",
"tag count",
"thu apr",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"asyncrat",
"redlinestealer",
"diamondfox",
"first",
"botnet command and control",
"python connection",
"tulach"
],
"references": [
"https://www.crccolorado.com/dr-adam-sang",
"CS IDS Rules: MALWARE Possible Compromised Host",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst",
"http://www.defi-realty.com/jem9/ [phishing]",
"http://45.159.189.105/bot/regex [phishing | tracking]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
"https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/",
"https://attack.mitre.org/software/S0226/",
"http://watchhers.net/index.php. [ data collection]",
"remotewd.com",
"https://remote.krogerlaw.com",
"device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com",
"www.pornhub.com [password decryption]",
"www.supernetforme.com [CnC]",
"ddos.dnsnb8.net [CnC]",
"http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743",
"http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs",
"https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]",
"https://us-bankofamerica.com/PhoneVerification.php/",
"http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]",
"http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip",
"http://iphones.email [redirection chain]",
"*Patient PII & PHI at critical risk"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Smoke Loader",
"display_name": "Smoke Loader",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Razy",
"display_name": "Razy",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "DangerousObject.Multi",
"display_name": "DangerousObject.Multi",
"target": null
},
{
"id": "Trojan.Injector",
"display_name": "Trojan.Injector",
"target": null
},
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "Defacement",
"display_name": "Defacement",
"target": null
}
],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1547.001 - Registry Run Keys / Startup Folder"
},
{
"id": "T1555.003",
"name": "Credentials from Web Browsers",
"display_name": "T1555.003 - Credentials from Web Browsers"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1055.012",
"name": "Process Hollowing",
"display_name": "T1055.012 - Process Hollowing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1552.001",
"name": "Credentials In Files",
"display_name": "T1552.001 - Credentials In Files"
},
{
"id": "T1497.001",
"name": "System Checks",
"display_name": "T1497.001 - System Checks"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1059.006",
"name": "Python",
"display_name": "T1059.006 - Python"
},
{
"id": "T1059.005",
"name": "Visual Basic",
"display_name": "T1059.005 - Visual Basic"
}
],
"industries": [
"Healthcare",
"Civil Society",
"Patients"
],
"TLP": "white",
"cloned_from": "65c09e487b3899f3442aed96",
"export_count": 88,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Enqrypted",
"id": "272105",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 244,
"FileHash-SHA1": 237,
"FileHash-SHA256": 5468,
"URL": 3747,
"domain": 2512,
"hostname": 1593,
"CVE": 4
},
"indicator_count": 13805,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "775 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65bf9b680a31915bed66fe9b",
"name": "Hacked Browser \u2022 DOS \u2022 Sinkholed",
"description": "Ongoing attack against targeted individual.",
"modified": "2024-03-05T13:02:33.380000",
"created": "2024-02-04T14:12:56.167000",
"tags": [
"whois record",
"contacted",
"ssl certificate",
"referrer",
"contacted urls",
"historical ssl",
"resolutions",
"siblings domain",
"threat roundup",
"september",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"execution",
"siblings",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"http",
"related pulses",
"none related",
"tags none",
"file type",
"google safe",
"creation date",
"cpm network",
"passive dns",
"urls",
"search",
"expiration date",
"name servers",
"date",
"showing",
"unknown",
"next",
"http response",
"final url",
"ip address",
"status code",
"headers date",
"files",
"apple ios",
"urls url",
"apple",
"password",
"domains",
"tmobile metro",
"hacktool",
"ursnif",
"malware",
"core",
"tsara brashears",
"copy",
"tracker",
"highly targeted",
"sides with",
"nanocore",
"ransomexx",
"quasar",
"maui ransomware",
"download",
"relic",
"monitoring",
"installer",
"cobalt strike",
"phishing",
"critical",
"emotet",
"exploit",
"united",
"win32upatre jan",
"entries",
"ipv4",
"open",
"trojan",
"body",
"artro",
"status",
"hostname",
"cpm fun",
"meta name",
"malware stealer trojan evader",
"cyber warfare",
"urls http",
"apple phone",
"unlocker",
"shell code",
"script",
"awful",
"june",
"service",
"privateloader",
"amadey",
"powershell",
"pe32 executable",
"ms windows",
"intel",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"exe32",
"compiler",
"vs2013",
"info compiler",
"products id",
"vs2013 upd4",
"upd4",
"header intel",
"name md5",
"getcursor getdc"
],
"references": [
"http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+",
"CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable",
"CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "AndroidOverlayMalware - MOB-S0012",
"display_name": "AndroidOverlayMalware - MOB-S0012",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Worm:Win32/Mimail.9c74f1f3",
"display_name": "Worm:Win32/Mimail.9c74f1f3",
"target": "/malware/Worm:Win32/Mimail.9c74f1f3"
},
{
"id": "Win32.Virlock.Gen.1",
"display_name": "Win32.Virlock.Gen.1",
"target": null
},
{
"id": "AMADEY",
"display_name": "AMADEY",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 49,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1301,
"FileHash-SHA1": 717,
"FileHash-SHA256": 1520,
"URL": 1249,
"domain": 564,
"hostname": 931,
"email": 6,
"CVE": 2,
"FilePath": 1
},
"indicator_count": 6291,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "775 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65bf9b6b83552213615b08b6",
"name": "Hacked Browser \u2022 DOS \u2022 Sinkholed",
"description": "Ongoing attack against targeted individual.",
"modified": "2024-03-05T13:02:33.380000",
"created": "2024-02-04T14:12:59.815000",
"tags": [
"whois record",
"contacted",
"ssl certificate",
"referrer",
"contacted urls",
"historical ssl",
"resolutions",
"siblings domain",
"threat roundup",
"september",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"execution",
"siblings",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"http",
"related pulses",
"none related",
"tags none",
"file type",
"google safe",
"creation date",
"cpm network",
"passive dns",
"urls",
"search",
"expiration date",
"name servers",
"date",
"showing",
"unknown",
"next",
"http response",
"final url",
"ip address",
"status code",
"headers date",
"files",
"apple ios",
"urls url",
"apple",
"password",
"domains",
"tmobile metro",
"hacktool",
"ursnif",
"malware",
"core",
"tsara brashears",
"copy",
"tracker",
"highly targeted",
"sides with",
"nanocore",
"ransomexx",
"quasar",
"maui ransomware",
"download",
"relic",
"monitoring",
"installer",
"cobalt strike",
"phishing",
"critical",
"emotet",
"exploit",
"united",
"win32upatre jan",
"entries",
"ipv4",
"open",
"trojan",
"body",
"artro",
"status",
"hostname",
"cpm fun",
"meta name",
"malware stealer trojan evader",
"cyber warfare",
"urls http",
"apple phone",
"unlocker",
"shell code",
"script",
"awful",
"june",
"service",
"privateloader",
"amadey",
"powershell",
"pe32 executable",
"ms windows",
"intel",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"exe32",
"compiler",
"vs2013",
"info compiler",
"products id",
"vs2013 upd4",
"upd4",
"header intel",
"name md5",
"getcursor getdc"
],
"references": [
"http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+",
"CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable",
"CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "AndroidOverlayMalware - MOB-S0012",
"display_name": "AndroidOverlayMalware - MOB-S0012",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Worm:Win32/Mimail.9c74f1f3",
"display_name": "Worm:Win32/Mimail.9c74f1f3",
"target": "/malware/Worm:Win32/Mimail.9c74f1f3"
},
{
"id": "Win32.Virlock.Gen.1",
"display_name": "Win32.Virlock.Gen.1",
"target": null
},
{
"id": "AMADEY",
"display_name": "AMADEY",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 46,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1301,
"FileHash-SHA1": 717,
"FileHash-SHA256": 1520,
"URL": 1249,
"domain": 564,
"hostname": 931,
"email": 6,
"CVE": 2,
"FilePath": 1
},
"indicator_count": 6291,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "775 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c09e6935e446f36ee67d16",
"name": "Hacked Browser \u2022 DOS \u2022 Sinkholed",
"description": "",
"modified": "2024-03-05T13:02:33.380000",
"created": "2024-02-05T08:38:01.689000",
"tags": [
"whois record",
"contacted",
"ssl certificate",
"referrer",
"contacted urls",
"historical ssl",
"resolutions",
"siblings domain",
"threat roundup",
"september",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"execution",
"siblings",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"http",
"related pulses",
"none related",
"tags none",
"file type",
"google safe",
"creation date",
"cpm network",
"passive dns",
"urls",
"search",
"expiration date",
"name servers",
"date",
"showing",
"unknown",
"next",
"http response",
"final url",
"ip address",
"status code",
"headers date",
"files",
"apple ios",
"urls url",
"apple",
"password",
"domains",
"tmobile metro",
"hacktool",
"ursnif",
"malware",
"core",
"tsara brashears",
"copy",
"tracker",
"highly targeted",
"sides with",
"nanocore",
"ransomexx",
"quasar",
"maui ransomware",
"download",
"relic",
"monitoring",
"installer",
"cobalt strike",
"phishing",
"critical",
"emotet",
"exploit",
"united",
"win32upatre jan",
"entries",
"ipv4",
"open",
"trojan",
"body",
"artro",
"status",
"hostname",
"cpm fun",
"meta name",
"malware stealer trojan evader",
"cyber warfare",
"urls http",
"apple phone",
"unlocker",
"shell code",
"script",
"awful",
"june",
"service",
"privateloader",
"amadey",
"powershell",
"pe32 executable",
"ms windows",
"intel",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"exe32",
"compiler",
"vs2013",
"info compiler",
"products id",
"vs2013 upd4",
"upd4",
"header intel",
"name md5",
"getcursor getdc"
],
"references": [
"http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+",
"CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable",
"CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "AndroidOverlayMalware - MOB-S0012",
"display_name": "AndroidOverlayMalware - MOB-S0012",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Worm:Win32/Mimail.9c74f1f3",
"display_name": "Worm:Win32/Mimail.9c74f1f3",
"target": "/malware/Worm:Win32/Mimail.9c74f1f3"
},
{
"id": "Win32.Virlock.Gen.1",
"display_name": "Win32.Virlock.Gen.1",
"target": null
},
{
"id": "AMADEY",
"display_name": "AMADEY",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65bf9b6b83552213615b08b6",
"export_count": 44,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1301,
"FileHash-SHA1": 717,
"FileHash-SHA256": 1520,
"URL": 1249,
"domain": 564,
"hostname": 931,
"email": 6,
"CVE": 2,
"FilePath": 1
},
"indicator_count": 6291,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "775 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65be56d257bb241c4fa3f68d",
"name": "AZORult CnC",
"description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares",
"modified": "2024-03-04T14:03:17.574000",
"created": "2024-02-03T15:08:02.291000",
"tags": [
"ssl certificate",
"whois record",
"threat roundup",
"whois whois",
"january",
"historical ssl",
"referrer",
"april",
"resolutions",
"siblings domain",
"march",
"february",
"obz4usfn0 http",
"problems",
"threat network",
"infrastructure",
"st201601152",
"startpage",
"iframe",
"united",
"unknown",
"search",
"showing",
"united kingdom",
"creation date",
"aaaa",
"cname",
"scan endpoints",
"all octoseek",
"date",
"next",
"script urls",
"soa nxdomain",
"link",
"xml title",
"portugal",
"domain",
"status",
"expiration date",
"pulse pulses",
"as44273 host",
"domain robot",
"as61969 team",
"body",
"as8075",
"netherlands",
"servers",
"emails",
"duo insight",
"type",
"asnone united",
"name servers",
"germany unknown",
"passive dns",
"as14061",
"as49453",
"lowfi",
"a domains",
"urls",
"privacy inc",
"customer",
"trojandropper",
"dynamicloader",
"default",
"medium",
"entries",
"khtml",
"download",
"show",
"activity",
"http",
"copy",
"write",
"malware",
"adware affiliate",
"hostname",
"trojan",
"pulse submit",
"url analysis",
"files",
"as212913 fop",
"russia unknown",
"as397240",
"as15169 google",
"as19237 omnis",
"as22169 omnis",
"as20068 hawk",
"as133618",
"as47846",
"as22489",
"encrypt",
"record value",
"pragma",
"accept ch",
"ireland unknown",
"msie",
"chrome",
"style",
"gmt setcookie",
"as6724 strato",
"core",
"win32",
"backdoor",
"expl",
"exploit",
"ipv4",
"virtool",
"azorult cnc",
"possible",
"as7018 att",
"regsetvalueexa",
"china as4134",
"service",
"asnone",
"dns lookup",
"ransom",
"push",
"eternalblue",
"recon",
"playgame",
"domain name",
"as13768 aptum",
"meta",
"error",
"as43350 nforce",
"as55286",
"as60558 phoenix",
"ip address",
"registrar",
"1996",
"contacted",
"unlocker",
"red team",
"af81 http",
"execution",
"open",
"whois sslcert",
"suspicious c2",
"cve202322518",
"collection",
"vt graph",
"excel",
"emotet",
"metro",
"jeffrey reimer pt",
"sharecare",
"tsara brashears",
"apple",
"icloud"
],
"references": [
"https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z",
"qbot.zip",
"imp.fusioninstall.com",
"https://mylegalbid.com/malwarebytes",
"192.185.223.216 | 192.168.56.1 [malware]",
"http://45.159.189.105/bot/regex",
"https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null",
"http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf",
"xhamster.comyouporn.com",
"cams4all.com",
"watchhers.net",
"weconnect.com",
"icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net",
"http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe",
"init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com",
"Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com",
"https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music",
"https://www.songculture.com/tsara-lynn-brashears-music",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"youramateuporn.com",
"ns2.abovedomains.com",
"ww16.porn-community.porn25.com",
"https://totallyspies.1000hentai.com/tag/clover-porn/",
"pirateproxy.cc",
"mwilliams.dev@gmail.com | piratepages.com",
"838114.parkingcrew.net",
"static-push-preprod.porndig.com",
"www.redtube.comyouporn.com",
"https://severeporn-com.pornproxy.page/",
"https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend",
"yoursexy.porn | indianyouporn.com",
"source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com",
"cdn.pornsocket.com",
"http://secure.indianpornpass.com/track/hotpornstuff",
"www.anyxxxtube.net",
"https://twitter.com/PORNO_SEXYBABES",
"http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo",
"campaign-manager.sharecare.com",
"qa.companycam.com",
"https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1",
"24-70mm.camera",
"dropboxpayments.com",
"http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org",
"http://xred.mooo.com",
"https://sexgalaxy.net/tag/rodneymoore/",
"http://alive.overit.com/~schoolbu/badmood3.exe",
"jimgaffigan.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United Kingdom of Great Britain and Northern Ireland",
"United States of America",
"Netherlands",
"Germany",
"France"
],
"malware_families": [
{
"id": "Adware Affiliate",
"display_name": "Adware Affiliate",
"target": null
},
{
"id": "AZORult CnC",
"display_name": "AZORult CnC",
"target": null
},
{
"id": "Possible",
"display_name": "Possible",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 737,
"FileHash-SHA1": 692,
"FileHash-SHA256": 7488,
"URL": 6694,
"domain": 5247,
"hostname": 2932,
"email": 49,
"CVE": 2,
"SSLCertFingerprint": 1
},
"indicator_count": 23842,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "776 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65be56d6df9d36bac14ccd87",
"name": "AZORult CnC",
"description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares",
"modified": "2024-03-04T14:03:17.574000",
"created": "2024-02-03T15:08:06.808000",
"tags": [
"ssl certificate",
"whois record",
"threat roundup",
"whois whois",
"january",
"historical ssl",
"referrer",
"april",
"resolutions",
"siblings domain",
"march",
"february",
"obz4usfn0 http",
"problems",
"threat network",
"infrastructure",
"st201601152",
"startpage",
"iframe",
"united",
"unknown",
"search",
"showing",
"united kingdom",
"creation date",
"aaaa",
"cname",
"scan endpoints",
"all octoseek",
"date",
"next",
"script urls",
"soa nxdomain",
"link",
"xml title",
"portugal",
"domain",
"status",
"expiration date",
"pulse pulses",
"as44273 host",
"domain robot",
"as61969 team",
"body",
"as8075",
"netherlands",
"servers",
"emails",
"duo insight",
"type",
"asnone united",
"name servers",
"germany unknown",
"passive dns",
"as14061",
"as49453",
"lowfi",
"a domains",
"urls",
"privacy inc",
"customer",
"trojandropper",
"dynamicloader",
"default",
"medium",
"entries",
"khtml",
"download",
"show",
"activity",
"http",
"copy",
"write",
"malware",
"adware affiliate",
"hostname",
"trojan",
"pulse submit",
"url analysis",
"files",
"as212913 fop",
"russia unknown",
"as397240",
"as15169 google",
"as19237 omnis",
"as22169 omnis",
"as20068 hawk",
"as133618",
"as47846",
"as22489",
"encrypt",
"record value",
"pragma",
"accept ch",
"ireland unknown",
"msie",
"chrome",
"style",
"gmt setcookie",
"as6724 strato",
"core",
"win32",
"backdoor",
"expl",
"exploit",
"ipv4",
"virtool",
"azorult cnc",
"possible",
"as7018 att",
"regsetvalueexa",
"china as4134",
"service",
"asnone",
"dns lookup",
"ransom",
"push",
"eternalblue",
"recon",
"playgame",
"domain name",
"as13768 aptum",
"meta",
"error",
"as43350 nforce",
"as55286",
"as60558 phoenix",
"ip address",
"registrar",
"1996",
"contacted",
"unlocker",
"red team",
"af81 http",
"execution",
"open",
"whois sslcert",
"suspicious c2",
"cve202322518",
"collection",
"vt graph",
"excel",
"emotet",
"metro",
"jeffrey reimer pt",
"sharecare",
"tsara brashears",
"apple",
"icloud"
],
"references": [
"https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z",
"qbot.zip",
"imp.fusioninstall.com",
"https://mylegalbid.com/malwarebytes",
"192.185.223.216 | 192.168.56.1 [malware]",
"http://45.159.189.105/bot/regex",
"https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null",
"http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf",
"xhamster.comyouporn.com",
"cams4all.com",
"watchhers.net",
"weconnect.com",
"icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net",
"http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe",
"init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com",
"Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com",
"https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music",
"https://www.songculture.com/tsara-lynn-brashears-music",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"youramateuporn.com",
"ns2.abovedomains.com",
"ww16.porn-community.porn25.com",
"https://totallyspies.1000hentai.com/tag/clover-porn/",
"pirateproxy.cc",
"mwilliams.dev@gmail.com | piratepages.com",
"838114.parkingcrew.net",
"static-push-preprod.porndig.com",
"www.redtube.comyouporn.com",
"https://severeporn-com.pornproxy.page/",
"https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend",
"yoursexy.porn | indianyouporn.com",
"source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com",
"cdn.pornsocket.com",
"http://secure.indianpornpass.com/track/hotpornstuff",
"www.anyxxxtube.net",
"https://twitter.com/PORNO_SEXYBABES",
"http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo",
"campaign-manager.sharecare.com",
"qa.companycam.com",
"https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1",
"24-70mm.camera",
"dropboxpayments.com",
"http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org",
"http://xred.mooo.com",
"https://sexgalaxy.net/tag/rodneymoore/",
"http://alive.overit.com/~schoolbu/badmood3.exe",
"jimgaffigan.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United Kingdom of Great Britain and Northern Ireland",
"United States of America",
"Netherlands",
"Germany",
"France"
],
"malware_families": [
{
"id": "Adware Affiliate",
"display_name": "Adware Affiliate",
"target": null
},
{
"id": "AZORult CnC",
"display_name": "AZORult CnC",
"target": null
},
{
"id": "Possible",
"display_name": "Possible",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
}
],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8134,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 737,
"FileHash-SHA1": 692,
"FileHash-SHA256": 7488,
"URL": 6694,
"domain": 5247,
"hostname": 2932,
"email": 49,
"CVE": 2,
"SSLCertFingerprint": 1
},
"indicator_count": 23842,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "776 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65bca8fcbe62297d71b47c33",
"name": "Ragnar Locker",
"description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.",
"modified": "2024-03-03T08:00:03.432000",
"created": "2024-02-02T08:34:04.425000",
"tags": [
"referrer",
"contacted",
"whois record",
"ssl certificate",
"whois whois",
"contacted urls",
"execution",
"historical ssl",
"red team",
"gang breached",
"agent tesla",
"redline stealer",
"metro",
"android",
"urls url",
"files",
"kgs0",
"kls0",
"orgtechhandle",
"orgtechref",
"orgabusehandle",
"orgdnshandle",
"orgdnsref",
"whois lookup",
"netrange",
"nethandle",
"net108",
"net1080000",
"communicating",
"urls http",
"ransomware gang",
"breached",
"team",
"first",
"utc submissions",
"submitters",
"gandi sas",
"psiusa",
"domain robot",
"porkbun llc",
"keysystems gmbh",
"csc corporate",
"domains",
"domain name",
"network pty",
"tucows",
"com laude",
"dynadot inc"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8354,
"FileHash-MD5": 104,
"FileHash-SHA1": 81,
"FileHash-SHA256": 2711,
"CIDR": 5,
"CVE": 6,
"domain": 1489,
"hostname": 3058,
"email": 5
},
"indicator_count": 15813,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "777 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65bbe07f0780cef1c48ccae4",
"name": "access.blackbagtech.com",
"description": "innovative forensic acquisition, triage, and analysis software for Windows, Android, iPhone/iPad, and Mac OS X devices.\nIn this instance Pegasus was deployed against the survivor of hungry, injurious SA against Brashears; allegedly assaulted by PT Jeffrey Reimer in AMS Concentra/Select Physical Therapy in Denver, Co. Rather than investigate DPT Reimer, law enforcement launched attack against victim ( SCI/TBI). Brashears was threatened by Mark Montana MD, lawyer and Workers Compensation doctor. Denied care, equally aggressive Montano wage effort to ensure silence and wides bid for Douglas County, Colorado Coroner election. Fraud, framing, death threats ensued. Montano threatened Brashears with his alleged best friend Tony Spurlock, promising a battle against her Court documented. \nBrashears is in danger.",
"modified": "2024-03-02T17:02:51.870000",
"created": "2024-02-01T18:18:39.156000",
"tags": [
"ssl certificate",
"whois record",
"pegasus",
"cellbrite",
"targets sa",
"survivor",
"blackbag",
"relations apple",
"mdm hacking",
"communicating",
"execution",
"contacted",
"quasar",
"kgs0",
"malware",
"core",
"hacktool",
"ransomexx",
"azorult",
"emotet",
"remcos",
"agent tesla",
"grandoreiro",
"targeting tsara brashears",
"delphi programming",
"access",
"local law enforcement",
"quasi case",
"framing",
"jeffrey reimer dpt 'reported' assaulter",
"state and governments cover white offender jeffrey reimer",
"indian mix brashears physically attacked often followed",
"death threats",
"alienvault results removed from search results",
"brashears tagged in adult content - not removed",
"brashears blacklisted",
"reimer promoted",
"false criminal records created about brashears",
"brashears family identity theft",
"judge sided with brashears",
"brashears given less than $10000 by Brian sabey",
"brian sabey constant contact ) threats",
"brashears stalked",
"reimer protected and hidden",
"pegasus technology disallows victim to report to regulatory boar",
"aig",
"industry and commerce",
"danger",
"rob neill drives brashears off road",
"brashears further injured",
"neill positively identified - no charges",
"malvertizing",
"botnet",
"fraud apple support chats",
"falsified medical records",
"denied healthcare",
"hydrocephalus not disclosed",
"permanent damage",
"corruption",
"burg simpson corruption",
"Denver trial attorneys tell brashears statute is 6 years in colo",
"da informs brashears no statute",
"brashears denied disability benefits for years",
"remember george floyd? brashears survived that injury",
"brashears cannot digest food",
"brashears can't toilet",
"jeffrey reimer was reported early",
"brashears bullied to return to PT due to workers compensation ru",
"montano threatened brashears with breaking the law if not return",
"reimer recorded",
"recordings stored online",
"recordings retrieved by bgp",
"bryan counts made aware of recordings",
"recordings demanded",
"america?",
"advocates ensure the rights of others",
"make others aware",
"who else is unheard.",
"non stop harassment",
"constant car bomb threats",
"brashears unable to properly articulate",
"nothing new",
"assaulted by man demanding phone",
"no charges",
"Brian sabey brings case to silence brashears",
"sabey motions dismissed",
"pegasus involves malicious actions by humans",
"pegasus attackers do kill",
"pegasus attackers make in person contact",
"overly large campaign",
"private investigators tailed stalkers. became afraid when learni",
"discrimination",
"hacking",
"tracking",
"car hacking",
"apple",
"android overlay",
"network rats",
"brashears denied vocational rehab twice",
"brashears unhirable due to online profile",
"employer rightfully consider brashears attack a risk to others",
"group hacked intermountain healthcare",
"group hacked uchealth colorado",
"group hacked esurance"
],
"references": [
"access.blackbagtech.com",
"The only thing necessary for the triumph of evil is for good men to do nothing.\u201d"
],
"public": 1,
"adversary": "NSO Group",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 87,
"FileHash-SHA1": 78,
"FileHash-SHA256": 2075,
"URL": 2696,
"domain": 710,
"hostname": 827,
"CVE": 1
},
"indicator_count": 6474,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "778 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b93e70b75e7dce7168f4dd",
"name": "Google - Lumma Stealer| QakBot | Emotet",
"description": "Lumma is classified as a stealer - a type of malware that extracts sensitive information from infected devices.\n\nYou can't see it. You will see https://www.google.com and your search. It's hidden spyware. extremely malicious. Targeted individual.",
"modified": "2024-02-29T17:01:09.717000",
"created": "2024-01-30T18:22:40.905000",
"tags": [
"ssl certificate",
"whois record",
"threat roundup",
"contacted",
"historical ssl",
"referrer",
"urls url",
"whois whois",
"october",
"resolutions",
"august",
"execution",
"installer",
"iframe",
"malware",
"core",
"emotet",
"lumma stealer",
"ransomexx",
"azorult",
"ursnif",
"hacktool",
"june",
"qakbot",
"qbot",
"april",
"targeting",
"tsara brashears",
"active threat"
],
"references": [
"google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker]",
"toolbarqueries.google.com.uy"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
}
],
"attack_ids": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1030",
"name": "Data Transfer Size Limits",
"display_name": "T1030 - Data Transfer Size Limits"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 50,
"FileHash-SHA1": 46,
"FileHash-SHA256": 3377,
"hostname": 2502,
"URL": 8531,
"domain": 1250,
"CVE": 2
},
"indicator_count": 15758,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "780 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a429795adf468b427a3c8b",
"name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com",
"description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.",
"modified": "2024-02-13T17:04:19.437000",
"created": "2024-01-14T18:35:37.757000",
"tags": [
"execution",
"whois record",
"contacted",
"ssl certificate",
"whois whois",
"contacted urls",
"copy",
"historical ssl",
"referrer",
"urls url",
"icmp",
"malicious",
"installer",
"problems",
"collections",
"report",
"phishing",
"service tool",
"greatness",
"threat network",
"emotet",
"magniber",
"startpage",
"attack",
"banker",
"keylogger",
"namecheap inc",
"com laude",
"ltd dba",
"cloudflare",
"porkbun llc",
"ii llc",
"csc corporate",
"domains",
"computer",
"company limited",
"first",
"cloudflarenet",
"google",
"amazon02",
"akamaias",
"telecom italia",
"utc submissions",
"microsoftcorpas",
"indonesia",
"beijing gu",
"appleaustin",
"sucurisec",
"amazonaes",
"limited",
"tsara brashears",
"pornhub",
"thebrotherssabey",
"then brothers sabey",
"brian sabey",
"apple",
"icloud",
"apple engineering",
"soc",
"hacker",
"teams",
"malvertizing",
"cyberthreat",
"cyber crime",
"data",
"v3 serial",
"number",
"cgb stgreater",
"ecc domain",
"server ca",
"subject public",
"key info",
"key algorithm",
"ec oid",
"remote",
"remote attacker",
"benjamin",
"worm",
"trojan",
"win32",
"trojanspy",
"ransomware",
"command and control",
"cnc",
"c2",
"stealer",
"password",
"apple unlocker",
"pornographers",
"cyber stalking",
"revenge rat",
"masquerading",
"scanning host",
"phishing",
"dns",
"network",
"cobalt strike",
"mitre attack",
"metro hacker",
"t-mobile hacker",
"stalker",
"social engineering",
"et",
"torrent trecker",
"view",
"duckdns",
"blackhat",
"data center",
"tracking",
"illegal",
"malware scripting",
"malware spreader",
"network rat",
"multiple botnetworks"
],
"references": [
"https://thebrotherssabey.wordpress.com/",
"acam-mdn.apple.com",
"beacons.bcp.gvt.com",
"cpcontacts.webcamara.online",
"http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15",
"http://ti.hicloudcam.com",
"http://alohatube.xyz/search/tsara-brashears",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://search.app.goo.gl/?ofl",
"Worm:Win32/Benjamin",
"FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab",
"FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5",
"FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5",
"applemusic-spotlight.myunidays.com",
"nr-data.net",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4",
"blackhat.store",
"api.telegram.org",
"cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Silk",
"display_name": "Silk",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2462,
"URL": 5950,
"FileHash-MD5": 168,
"FileHash-SHA1": 156,
"FileHash-SHA256": 3901,
"CIDR": 2,
"hostname": 2766,
"email": 2,
"CVE": 1
},
"indicator_count": 15408,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "796 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a0194269f81650babf9b6c",
"name": "Raspberry Robin | Hijacker | link: voyour-cams.xww.de | Monitoring",
"description": "Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive.\nTo be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.\n\nBy using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.",
"modified": "2024-02-10T15:03:45.065000",
"created": "2024-01-11T16:37:22.751000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"threat roundup",
"historical ssl",
"december",
"october",
"august",
"referrer",
"execution",
"raspberry robin",
"ghost rat",
"service",
"dtrack",
"download",
"malware",
"hijacker",
"monitoring",
"installer",
"masquerading",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"nginx",
"parked domain",
"parking crew",
"malware hosting",
"dga parking",
"msie",
"cmd",
"worm",
"dga malvertizing"
],
"references": [
"voyour-cams.xww.de",
"https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples",
"https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "LokiBot",
"display_name": "LokiBot",
"target": null
},
{
"id": "Ghost RAT",
"display_name": "Ghost RAT",
"target": null
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "Raspberry Robin",
"display_name": "Raspberry Robin",
"target": null
},
{
"id": "Roshtyak",
"display_name": "Roshtyak",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1052.001",
"name": "Exfiltration over USB",
"display_name": "T1052.001 - Exfiltration over USB"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 81,
"FileHash-SHA1": 83,
"FileHash-SHA256": 3484,
"URL": 7778,
"domain": 2468,
"hostname": 2348,
"email": 2,
"CVE": 1
},
"indicator_count": 16245,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "799 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"imp.fusioninstall.com",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"https://otx.alienvault.com/indicator/domain/findmy-apple.support",
"http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn",
"https://sexgalaxy.net/tag/rodneymoore/",
"www.icloud.com [wp-login.php]",
"sonymobilemail.com",
"access.blackbagtech.com",
"init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com",
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"cpcontacts.webcamara.online",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"www2.megawebfind.com [command and control]",
"https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst",
"dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/",
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]",
"http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe",
"http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org",
"\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects",
"voyour-cams.xww.de",
"http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_",
"static-push-preprod.porndig.com",
"www.supernetforme.com [command_and_control]",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"http://ti.hicloudcam.com",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"20.99.186.246 [exploit source]",
"*Patient PII & PHI at critical risk",
"http://45.159.189.105/bot/regex [ tracking | botnet]",
"http://alohatube.xyz/search/tsara-brashears",
"Found in: https://Side3.com/",
"The only thing necessary for the triumph of evil is for good men to do nothing.\u201d",
"www.anyxxxtube.net",
"jimgaffigan.com",
"http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15",
"tv.apple.com",
"https://www.songculture.com/tsara-lynn-brashears-music",
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]",
"https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"www.anyxxxtube.net [malicious data collection]",
"dvd-game-new-releases.info",
"acam-mdn.apple.com",
"ddos.dnsnb8.net [CnC]",
"http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]",
"Added some URLs from FSio Report to URLScan",
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
"Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe",
"youramateuporn.com",
"/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03",
"https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker]",
"ddos.dnsnb8.net [command_and_control]",
"FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5",
"toolbarqueries.google.com.uy",
"demo.auth.civicalg.com.sni.cloudflaressl.com",
"beacons.bcp.gvt.com",
"https://tria.ge/250210-3c3c3askfz",
"http://appleid.icloud.com-website33.org/",
"device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com",
"https://attack.mitre.org/software/S0226/",
"ww16.porn-community.porn25.com",
"CS Sigma Rules: Use Remove-Item to Delete File by frack113",
"FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5",
"nexus.b2btest.ertelecom.ru",
"CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"Intellectual property accessed and distributed",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems]",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"http://fillmark.net/index.php [phishing]",
"s3.amazonaws.com [targeting data collection]",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]",
"",
"watchhers.net",
"qa.companycam.com",
"\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/",
"ns3.hallgrandsale.ru",
"CS Sigma Rules: Disable UAC Using Registry by frack113",
"CS Sigma Rules: Python Initiated Connection by frack113",
"CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable",
"pegahpouraseflaw.info",
"https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"qbot.zip",
"weconnect.com",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]",
"CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244",
"http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]",
"blackhat.store",
"webdisk.thehomemakers.nl [spyware | tracking]",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe",
"applemusic-spotlight.myunidays.com",
"cams4all.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=",
"URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org",
"https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
"\u2022 199.59.243.226",
"redhatdelete.com",
"nr-data.net [Apple Private Data Collection]",
"https://totallyspies.1000hentai.com/tag/clover-porn/",
"ns2.abovedomains.com",
"https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639",
"https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea",
"https://side3.com/",
"https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]",
"https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic]",
"campaign-manager.sharecare.com",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"http://nudeteenporn.site",
"nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]",
"CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community",
"104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]",
"https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music",
"https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend",
"Trojan-Ransom.Win32.Blocker.jgb Checkin",
"0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org",
"nr-data.net",
"honey.exe",
"CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst",
"remotewd.com",
"https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf",
"http://xred.mooo.com",
"https://remote.krogerlaw.com",
"yoursexy.porn | indianyouporn.com",
"www.redtube.comyouporn.com",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=",
"http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing]",
"\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/",
"https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027",
"https://thebrotherssabey.wordpress.com/",
"https://tria.ge/250211-dhpxgswlax",
"xhamster.comyouporn.com",
"https://www.crccolorado.com/dr-adam-sang",
"https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1",
"https://tria.ge/250211-dx9v7swnbw",
"https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
"\u2022 ww25.vpn.steamcommunity-site.info",
"happyrabbit.kr [Apple iOS threat]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=",
"Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}",
"http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf",
"workers.dev [extraction \u2022 GET request attack]",
"FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]",
"http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo",
"https://www.side3.com",
"\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/",
"https://twitter.com/PORNO_SEXYBABES",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
"https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz",
"google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host]",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"http://pornhub.com/gay/video/search",
"http://micrologin.ogspy.net/track/dhl-information-contact.html",
"CVE: CVE-2023-23397",
"Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+",
"838114.parkingcrew.net",
"http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]",
"https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/",
"Win32:RATX-gen [Trj] identified.",
"api.utah.edu [access apple]",
"192.185.223.216 | 192.168.56.1 [malware]",
"cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php",
"https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695",
"CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.",
"CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://45.159.189.105/bot/regex [phishing | tracking]",
"http://watchhers.net/index.php. [ data collection]",
"dropboxpayments.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"sex-ukraine.net",
"pirateproxy.cc",
"https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393",
"https://search.app.goo.gl/?ofl",
"source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com",
"vtbehaviour.commondatastorage.googleapis.com",
"https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join",
"Worm:Win32/Benjamin",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"cs9.wac.phicdn.net.1.1.e64a8639.roksit.net",
"https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign",
"pornhub.org",
"icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net",
"24-70mm.camera",
"http://alive.overit.com/~schoolbu/badmood3.exe",
"ransomed.vc",
"\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com",
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"https://www.myminiweb.com/",
"http://iphones.email [redirection chain]",
"https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark",
"http://mouthgrave.net/index.php",
"c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
"http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||",
"0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550",
"http://www.defi-realty.com/jem9/ [phishing]",
"http://45.159.189.105/bot/regex",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=",
"https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians",
"https://severeporn-com.pornproxy.page/",
"cdn.pornsocket.com",
"https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude",
"www-temp.metrobyt-mobile.com [malicious | data collection]",
"https://tria.ge/250211-dt1hcswme1",
"message.htm.com",
"Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7",
"http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma",
"https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples",
"https://mylegalbid.com/malwarebytes",
"https://us-bankofamerica.com/PhoneVerification.php/",
"https://tria.ge/250210-3y8f7sspdy",
"Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com",
"\u2193\u2192Found in: https://house.mo.gov/\u2193",
"https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null",
"https://tulach.cc/",
"https://tria.ge/250210-3nh4kasmes",
"CS IDS Rules: MALWARE Possible Compromised Host",
"andrewka6.pythonanywhere.com [python connection - apple]",
"1.116.217.151 [Cobalt Strike]",
"http://secure.indianpornpass.com/track/hotpornstuff",
"www.pornhub.com [password decryption]",
"\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net",
"CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?",
"https://www.sweetheartvideo.com/tsara-brashears/",
"ww12.indianpornxxxtube.com",
"Remote Access Trojan",
"\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us",
"https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]",
"mwilliams.dev@gmail.com | piratepages.com",
"FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab",
"www.supernetforme.com [CnC]",
"http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+",
"https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z",
"api.login.live.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mobilesmafia.com/applications/botnet.ex",
"stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats",
"api.telegram.org",
"http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip",
"https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"El Machete, TAG-100, Mirage, Unamed_Grooup",
"NSO Group",
"Unnamed group"
],
"malware_families": [
"Trojandropper:win32",
"Maze",
"Amadey",
"W32.sality-73",
"Smoke loader",
"Trojan.injector",
"Roshtyak",
"W32.sality.pe",
"Glooxmail",
"Worm:win32/mydoom",
"Virtool",
"Gen:variant.zusy",
"Reputation.1",
"Ransom:win32/wannacrypt.a!rsm",
"Et",
"Azorult cnc",
"Ransomware",
"Network rat",
"Win32:ratx-gen [trj]",
"Generic.malware",
"Emotet",
"Win.trojan.mbrlock-9779766-0",
"Qbot",
"Win.trojan.agent-828507",
"Malware",
"Win32:evo-gen\\ [trj]",
"Floxif",
"Zombie.a",
"Silk",
"Hacktool",
"Content reputation",
"Nanocore rat",
"Win.puzzlemaker",
"Virus.win32.virut.q",
"Verified",
"Hallgrand",
"Sality",
"Unruy",
"Trojan-ransom.win32.blocker.jgb checkin",
"Qakbot",
"Chaos (elf)",
"Wiper",
"Lolkek",
"Mekotio",
"Win32/cryptor",
"Dark power",
"Hiddentear",
"Cobalt strike",
"Rostpay",
"Suppobox",
"Bandit stealer",
"Generic_r.byw",
"W32/hupigon.ncu",
"Lumma stealer",
"Razy",
"Sabey",
"Raspberry robin",
"Adware affiliate",
"Win32:inject-bcl\\ [trj]",
"Formbook",
"#lowfi:suspicioussectionname",
"Makop",
"Virut",
"Azorult",
"Noname057",
"Dark",
"Alf:e5.spikeaex.rhh_pid",
"Berbew.aa!mtb",
"#lowfi:siga:trojanspy:msil/keylogger",
"Sibot",
"Hallrender",
"Djvu",
"Ransomexx",
"Relic",
"Win.fivehands",
"Anydesk",
"Win.ransomware.locky-7766366-0",
"Maui ransomware",
"Simda",
"Trojan:win32/remcosrat",
"Goldmax",
"Tulach",
"Dangerousobject.multi",
"Nokoyawa ransomware",
"Worm:win32/mimail.9c74f1f3",
"Sheur4.ceoo",
"Lokibot",
"Goldfinder",
"Trojanspy",
"Ursnif",
"Tofsee",
"Lockbit",
"Njrat",
"Colbalt strike",
"Artro",
"Trojandropper:win32/gamehack",
"Worm:win32/benjamin",
"Cyber criminal",
"Possible",
"Win.sombrat",
"Glupteba.mt!mtb",
"Win32.virlock.gen.1",
"Trojan:win32/smokeloader",
"Androidoverlaymalware - mob-s0012",
"Quasar rat",
"Agent tesla",
"Ghost rat",
"Defacement",
"Mitre attack",
"Floxif.e",
"Flubot",
"Ryuk ransomware",
"Mirai",
"Win32/tanatos.a"
],
"industries": [
"Agriculture",
"Finance",
"Civil society",
"Patients",
"Telecommunications",
"Entertainment",
"Education",
"Public administration",
"Government",
"Media",
"Recording industry",
"Entertainers",
"Energy",
"Hospitality",
"Retail",
"Healthcare",
"Technology"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69b2bb3f596b9a99d6eb97c3",
"name": "unnamed group SOCradar clone by fraevolquez",
"description": "",
"modified": "2026-04-12T00:05:39.579000",
"created": "2026-03-12T13:10:23.942000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": "67733381a0cdad5d55f5166f",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "7 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2730aa46a25d7949daa8d",
"name": "apple retail dnspionage clone octoseek",
"description": "",
"modified": "2026-04-11T00:03:57.096000",
"created": "2026-03-12T08:02:18.609000",
"tags": [
"Ghost RAT",
"WebToolbar",
"Nanocore RAT",
"GameHack",
"Cobalt Strike",
"RedlineStealer",
"HallGrand",
"InstallCore",
"InstallBrain",
"Emotet",
"Tofsee",
"InMortal",
"Bradesco",
"Agent Tesla",
"Mitre",
"Pyscpa",
"TrojanSpy",
"SuppoBox",
"Occamy",
"DNSPIONAGE",
"Stealer",
"Password",
"Apple",
"Retail",
"Cherry Creek Colorado",
"Bot Networks",
"Ghost RAT",
"Networm"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "658a2b6cfdcfeec5db5f31a1",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7996,
"FileHash-SHA1": 3921,
"FileHash-SHA256": 5341,
"hostname": 2108,
"domain": 1005,
"URL": 5635,
"CIDR": 2,
"CVE": 21,
"email": 28
},
"indicator_count": 26057,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a5c36b78ed73550bb0bf22",
"name": "by Disable_Duck",
"description": "",
"modified": "2026-03-04T23:37:24.208000",
"created": "2026-03-02T17:05:47.288000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB",
"TLS/SSL Crawler",
"CVE-2026-24061 Attempt",
"Generic IoT Default Password Attempt",
"Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
"Dahua Backdoor Attempt",
"ENV Crawler",
"DCERPC Protocol",
"Carries HTTP Referer",
"GNU Inetutils Telnetd Auth Bypass",
"ICMPv4 Protocol"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)",
"Argentina",
"Switzerland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6901363c4ce422f5caf0f72c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 996,
"domain": 987,
"hostname": 3306,
"email": 4,
"CVE": 1
},
"indicator_count": 27048,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "45 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6980689d04c3d0afa554c247",
"name": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26",
"description": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26",
"modified": "2026-03-04T08:01:36.153000",
"created": "2026-02-02T09:04:29.535000",
"tags": [
"entity",
"skreutzb",
"kgs0",
"kls0",
"please",
"javascript",
"Proton",
"Drive",
"Mail",
"Calendar",
"VPN",
"Ubiquiti",
"Unifi",
"Malcerts",
"Certificates",
"Apple",
"Github",
"Cocoapods"
],
"references": [
"https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark",
"https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027",
"https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 24,
"FileHash-SHA1": 20,
"FileHash-SHA256": 146,
"hostname": 143,
"URL": 218,
"domain": 35
},
"indicator_count": 586,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "46 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6901363c4ce422f5caf0f72c",
"name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
"description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
"modified": "2026-02-18T05:00:41.494000",
"created": "2025-10-28T21:31:40.008000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 995,
"domain": 984,
"hostname": 3305,
"email": 4
},
"indicator_count": 27042,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "60 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68cda7d2fa81b016a486aad8",
"name": "logo Virustotal/Virustotal.com( usuni\u0119te pliki Virustotal i ich wsp\u00f3lne cechy)",
"description": "",
"modified": "2025-10-19T18:02:53.885000",
"created": "2025-09-19T18:58:26.750000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 213,
"FileHash-MD5": 100,
"FileHash-SHA1": 100,
"FileHash-SHA256": 150,
"domain": 11,
"hostname": 5
},
"indicator_count": 579,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "182 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68adee67c08cd025b05c2ab0",
"name": "Collection of Collections - Updated - Malicious Certificates & University of Alberta DataBreach - 09.15.25.25",
"description": "This Pulse is an attempt to aggregate all known certificates from all sources.\n\nEncrypted Communication: The malware uses Bitcoin and Ethereum addresses for communication, allowing it to receive commands and exfiltrate data securely.\nEvasion Techniques: The malware generates long and unusual domain parts using Domain Generation Algorithms to evade detection and establish communication with its C2 server.\nData Exfiltration: The malware can exfiltrate data to cloud storage services, enabling the threat actor to steal sensitive information from the compromised system.\nRemote Access: The malware leverages bidirectional communication and system binary proxy execution techniques to enable remote access and control over the infected system.\nIngress Tool Transfer: The malware downloads executable files from URLs, indicating its ability to download additional malicious payloads or updates to enhance its capabilities.",
"modified": "2025-10-16T05:02:02.452000",
"created": "2025-08-26T17:27:01.650000",
"tags": [
"http",
"https",
"kgs0",
"kls0",
"Malcerts",
"Certificates",
"Alberta",
"GovAB",
"UAlberta",
"Speader"
],
"references": [
"https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark",
"https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4",
"https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25",
"https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview",
"https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community",
"Added some URLs from FSio Report to URLScan"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Aruba",
"Panama",
"Poland",
"Ukraine",
"United Kingdom of Great Britain and Northern Ireland",
"Anguilla",
"United Arab Emirates",
"Ireland",
"Tanzania, United Republic of",
"Philippines",
"Japan",
"Guatemala",
"Mexico",
"Bahamas",
"Barbados",
"Georgia",
"Slovakia",
"Sint Maarten (Dutch part)",
"Kenya"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Government",
"Technology",
"Telecommunications",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1639,
"FileHash-MD5": 1481,
"FileHash-SHA1": 1421,
"FileHash-SHA256": 5969,
"domain": 707,
"hostname": 2311,
"email": 5,
"CIDR": 13
},
"indicator_count": 13546,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "185 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68b78d521f024d3a98fc79c8",
"name": "VT Graph miniuser - Databreach IOCs & Links",
"description": "Related to Pulse: Food for Thought (Updated 09.02.25)\n\n*Note most links are malicious",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-03T00:35:30.936000",
"tags": [
"kgs0",
"kls0",
"entity",
"UAlberta",
"University of Alberta",
"Hacked",
"DataBreach"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 132,
"FileHash-SHA1": 121,
"FileHash-SHA256": 711,
"URL": 83,
"domain": 50,
"hostname": 125
},
"indicator_count": 1222,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "198 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "686d28ec9208b0424e0ccad2",
"name": "Remote Keylogger | Foundry",
"description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.",
"modified": "2025-09-19T03:02:22.742000",
"created": "2025-07-08T14:19:24.211000",
"tags": [
"delete",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"delete c",
"intel",
"write",
"malware",
"dynamicloader",
"yara rule",
"high",
"vmware",
"phishing",
"remote",
"keylogger",
"remote keylogger",
"type indicator",
"related pulses",
"no expiration",
"url https",
"showing",
"reputation",
"foundry",
"apple",
"downloader",
"trojan"
],
"references": [
"http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||",
"\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net",
"\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects",
"\u2022 199.59.243.226",
"\u2022 ww25.vpn.steamcommunity-site.info",
"\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/",
"\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/",
"\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us",
"\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com",
"\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Reputation.1",
"display_name": "Reputation.1",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [
"Telecommunications",
"Technology",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 260,
"FileHash-SHA1": 244,
"FileHash-SHA256": 4406,
"URL": 9684,
"domain": 3164,
"hostname": 3370,
"CVE": 1
},
"indicator_count": 21129,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "212 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "687605f986433ebf2673f0b8",
"name": "Win.Malware.Downloadguide-6803841-0 | Patient Monitoring",
"description": "Part of an elaborate, unrelenting espionage campaign , multiple compromises, targeting.\n> alf:PUA:Win32/DownloadGuide \nLink below found in previous Pulse -[http://s0.patient.media/res/f91b97f6b547405cb4370cbb003dfea2-jquery-1.11.1.min.js.gzip]\n\u2022 Win.Malware.Downloadguide-6803841-0\nYara:\nresearch_pe_signed_outside_timestamp\n\u2022\nkernel32_dll_xor_exe_key_51_key_byte_encoded \u2022\nxor_0x33_kernel32_dll \u2022 \nConcerning: {Domain\tAddress\tRegistrar\tCountry\ns0.patient.media\n-\tGoDaddy.com, LLC\nOrganization: Egton Medical Information Systems Limited\nName Server: ns34.domaincontrol.com\nCreation Date: 2015-01-12T16:20:56}\n\n{https://www.anyxxxtube.net/search-porn/tsara-brashears/}\n{https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net}\n{wallpapers-nature.com}\n{https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian}",
"modified": "2025-08-14T07:05:00.239000",
"created": "2025-07-15T07:40:41.180000",
"tags": [
"url http",
"url https",
"indicator role",
"title added",
"active related",
"pulses hostname",
"entries",
"gmt etag",
"server",
"ecacc",
"serving ip",
"address",
"dom dom",
"data upload",
"extraction",
"pdf report",
"enter",
"failed",
"extraction data",
"enter sc",
"type",
"extra data",
"extri please",
"review data",
"excluded tous",
"tui sugges",
"find",
"show",
"at filer",
"iocs",
"levelbluelabs",
"please",
"included iocs",
"excluded io",
"find suggested",
"types",
"domain data",
"search",
"o please",
"manually add",
"c data",
"o suggesteo",
"include data",
"review uus",
"u exclude",
"find s",
"indicaok data",
"dom doman",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"copy",
"push",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"ascii text",
"size",
"mitre att",
"utf8",
"null",
"refresh",
"body",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"discovery att"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3597,
"FileHash-MD5": 343,
"domain": 547,
"hostname": 1222,
"FileHash-SHA1": 343,
"FileHash-SHA256": 4464,
"CVE": 1,
"email": 1
},
"indicator_count": 10518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "248 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "20python.org",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "20python.org",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776639132.7519739
}