{ "type": "IPv4", "indicator": "5.5.7.3", "general": { "whois": "http://whois.domaintools.com/5.5.7.3", "reputation": 0, "indicator": "5.5.7.3", "type": "IPv4", "type_title": "IPv4", "base_indicator": { "id": 406154850, "indicator": "5.5.7.3", "type": "IPv4", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 26, "pulses": [ { "id": "6a1b57af6e1986d0628bca12", "name": "SystemBC RAT, Quant Loader, and LogMeIn.com, combined to execute a multi-stage Corporate Styled Network Intrusion", "description": "\"Living off the Land\" Takeover (LogMeIn.com)\u201c\nINCIDENT REPORT: HIGH-VALUE TARGET NETWORK INTRUSION Threat Profile: Human-operated corporate-grade attack chain targeting an isolated device.Vector: Local network exposure (compromised router/neighboring device) or physical media (USB).Attack Chain Stages:Quant Script: Obfuscated entry file bypassing network filters.SystemBC RAT: Creates a silent, persistent SOCKS5/Tor tunnel for attacker commands.LogMeIn Abuse: Attackers use legitimate remote software to control the device undetected.Crowti (CryptoWall): Final ransomware payload to encrypt high-value data.Key Observations: Because the target device lacked direct internet access, adversaries are actively abusing the local network infrastructure or physical proximity to bridge the gap. \n\nI\u2019m open to other opinions regarding this report. I have been unwell and my thinking has been unclear and even off as I focus on getting well.\nThank you.", "modified": "2026-05-30T21:33:35.237000", "created": "2026-05-30T21:33:35.237000", "tags": [ "united", "unknown aaaa", "servers", "certificate", "urls", "logmein", "ipv4", "url analysis", "files", "america flag", "level", "data upload", "extraction", "failed", "enter sc", "extri data", "include review", "stop typ", "domain don", "united states", "america asn", "net20525119201", "amazon data", "net20525119202", "address range", "cidr", "network name", "allocation type", "whois server", "entity adsn1", "handle", "sc data", "netherlands asn", "as204601 zomro", "dns resolutions", "log id", "gmtn", "timestamp", "tls web", "expiresfri", "path", "httponly", "salford", "sectigo limited", "sectigo rsa", "accept", "organization", "false", "authentication", "ocsp", "c179044d", "b89a", "d4n timestamp", "df9b", "post na", "lredmond", "stwa", "cnmicrosoft tls", "g2 rsa", "ca ocsp", "rmm domain", "search", "flashpix", "write", "unknown", "malware", "encrypt", "high", "medium", "write c", "template", "registers", "moved", "record value", "tls sni", "observed rmm", "omicrosoft", "stwashington", "server ca", "extr data", "error", "a50 data", "pattern match", "ascii text", "mitre att", "ck id", "general", "local", "click", "strings", "u extractio", "extrac data", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "signing defense", "discovery att", "code signing", "defense evasion", "t1480.002", "mrasn", "cachecontrol", "connection", "date tue", "gmt etag", "self", "etag w/\"leknjhepnj99sn\"", "name servers", "extre data", "observed dns", "query", "show", "localsm05208304", "localsm03520304", "title error", "all ipv4", "reverse dns", "as14618", "extraction data", "creato touc", "digice rsa", "sh certific", "hid iv", "trojandropper", "backdoor", "present may", "please", "x msedge", "exploit", "as8068", "av detection", "ratio", "ids detections", "content length", "content type", "x powered", "asn as16509", "x vercel", "vercel", "gmt content", "ransom", "dynamicloader", "msie", "windows nt", "wow64", "slcc2", "media center", "sysv", "buildid", "germany as8560", "yara detections", "contacted", "elf", "filehash", "av detections", "alerts", "analysis date", "file score", "low risk", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "elf info", "progbits", "offset size", "flags", "null", "hashes o", "get http", "post http", "entries", "trojan", "pegasus", "apple", "amazonaws", "smtp", "self-delete", "service-scan", "applayer", "madagascar", "qnapcrypt", "mal_elf_systembc_rat", "rat", "hacktool code", "systembc", "t1064", "create", "modify system", "process", "t1543 privile", "ta0004 cr", "t1543", "creation date", "whois show", "emails", "name logmein", "org logmein", "summer st", "date hash", "avast avg", "mtb jul", "k jun", "ai", "ai report", "appleremotesupport", "remotelyanywhere", "pegasus related" ], "references": [ "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "Amazonaws.com \u2022 Amazon.com", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "http://212.33.237.86/images/1/report.php", "http://watchhers.net/index.php", "remoteexecution-runner-api.services.gotoresolve.com", "firebaseremoteconfig.googleapis.com", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "Yara Detections: is__elf", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "Names: testpaging upof6w.exe", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "https://cdn.console.gotoresolve.com/applet", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "to act as their human-controlled, \"living off the land\" command station.", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "by pulling its primary files over public SMB shares.", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "Because LogMeIn is a legitimate remote management tool used by actual IT departments,", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "appleremotesupport.com \u2022 remotelyanywhere.com", "Immediate Recommendations: Disconnect all routers and isolate the network.", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "Change all credentials from a separate, clean network.", "If possible: Move to Switzerland" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "TrojanDownloader:JS/Swabfex.P", "display_name": "TrojanDownloader:JS/Swabfex.P", "target": "/malware/TrojanDownloader:JS/Swabfex.P" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen!K", "display_name": "TrojanDropper:Win32/Cutwail.gen!K", "target": "/malware/TrojanDropper:Win32/Cutwail.gen!K" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win.Trojan.Hupigon-6989556-0", "display_name": "Win.Trojan.Hupigon-6989556-0", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 275, "FileHash-SHA1": 243, "FileHash-SHA256": 1320, "URL": 897, "domain": 796, "email": 7, "hostname": 783, "IPv4": 446, "CIDR": 2, "SSLCertFingerprint": 33 }, "indicator_count": 4802, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "11 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69eae3465a9cbe437bca96df", "name": "[The infectors and The infected - string.dmp] credit: DorkingBeauty1 Cloned", "description": "", "modified": "2026-04-24T03:28:06.951000", "created": "2026-04-24T03:28:06.951000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "628d95bd59109416c444c985", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69a3c685d4b7c139ffe62930", "name": "Clone Pulse Reference", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T04:54:29.384000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6906bd99cadbd4140014c6af", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 454, "hostname": 1404, "URL": 3557, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1, "CVE": 1 }, "indicator_count": 6754, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "695ca8b688eb56b3a0247098", "name": "System32 - Subfolders", "description": "E:\\Suss-SG2\\System32 - Subfolders.zip", "modified": "2026-02-05T06:03:21.110000", "created": "2026-01-06T06:16:22.880000", "tags": [ "tue apr", "scanid", "mon mar", "archivesize", "archivesha1", "archivesha256", "archivecreated", "f archiveowner", "sigtype1", "sigclass1", "look", "powershell", "first", "strings", "dllinject", "june", "span", "error", "fail", "rooter", "info", "alphabet", "false", "path", "service", "dword", "shell", "model", "assistant", "code", "syst", "checker", "rest", "core", "tencent", "null", "accept", "open", "pass", "internal", "meta", "root", "desktop", "window", "maximu", "stream", "android", "comp", "date", "whirlpool", "kevin", "sett", "locale", "cloud", "malware", "class" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 148, "CIDR": 2, "FileHash-MD5": 9860, "FileHash-SHA1": 10592, "FileHash-SHA256": 8443, "domain": 147, "email": 6, "hostname": 49 }, "indicator_count": 29247, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "115 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69589ae12fa3212a68dfd1c7", "name": "C:\\Windows\\system32\\free", "description": "C:\\Windows\\system32\\free", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-03T04:28:17.166000", "tags": [ "sat dec", "hx83xec", "packages", "mon jun", "owner rights", "scanid", "regqueryvalue", "malware file", "mz created", "desc", "look", "dllinject", "service", "null", "defender", "malware", "desktop", "window", "shell", "june" ], "references": [ "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/summary", "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 258, "FileHash-SHA1": 120, "FileHash-SHA256": 118, "URL": 52, "domain": 2, "email": 6, "hostname": 16 }, "indicator_count": 572, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "155 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6906bd99cadbd4140014c6af", "name": "Espionage - Gravity RAT + | Legal entities are State owned. Attacking severely injured PT\u2019s SA victim.", "description": "Fastly CDN for Palantir (Verizon) unless updated. Very malicious IoC\u2019s found evaluating IoC\u2019 from Christopher Ahmann - TAM Legal link.\n- Made contact with victim several times.\n- Illegal contact made with attorneys considering representing Tsara. \n- https://unicef.se/assets/apple - link related to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage.\n\nAhmann is named as special counsel but he , like Brian Sabey are \u2018ONLY\u2019 cyber attacking Tsara Brashears.\n\n- protecting Jeffrey Reimer DPT, multiple doctors, Concentra, blocked and denied care , hired a hitman/men and it would have. Even cheaper to pay her for the injuries she never sought compensation for due to aggressive attacks and threats.", "modified": "2025-12-02T01:05:30.331000", "created": "2025-11-02T02:10:33.546000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 449, "hostname": 1403, "URL": 3552, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1 }, "indicator_count": 6742, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "688fa1290b459ca0e307fcbd", "name": "http://www.jeffreyrusertjeffersoncounty.net/", "description": "Does this mean a someone who SA\u2019d and critically injured someone was given legal access to also spy on his victim? \nFurther investigation needed. Now ther is a little phone symbol blinking on my device. Weirdness.", "modified": "2025-09-02T10:03:26.815000", "created": "2025-08-03T17:49:29.657000", "tags": [ "status", "creation date", "date", "domain add", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as396982", "whois registrar", "pulses", "related tags", "indicator facts", "historical otx", "pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "mitre att", "ck techniques", "spawns", "falcon sandbox", "hybrid", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "null", "refresh", "body", "span", "august", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "config", "runner", "us seen", "general info", "geo kansas", "city", "missouri", "united", "as396982", "us note", "route", "ptr record", "live", "november", "value emails", "dnssec", "domain name", "llc status", "whois server", "showing", "entries", "olet", "encrypt", "cnr3", "cnr10", "cnr11", "ilike search", "id logged", "common name", "issuer name", "encrypt https", "expired", "key usage", "tls web", "identifier", "search criteria", "timestamp entry", "log operator", "log url", "google https", "poison", "info", "certificate", "linter", "precertificate", "tls server", "subject dn", "ascii", "sha256 hash", "graph", "sectigo https", "ca mechanism", "provider status", "revocation date", "log id", "criteria id", "16566017041", "summary leaf", "15317728412", "15385730680", "sequence", "octet string", "pkcs", "integer", "null bit", "string", "boolean", "pkix key", "pkix", "observed" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "URL": 226, "hostname": 64, "email": 1, "FileHash-SHA256": 143, "FileHash-MD5": 28, "FileHash-SHA1": 35, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "67b11e4d0c6e678b663fee63", "name": "plik wykonywalny PE32 (DLL) dla systemu MS Windows i'u\u017cytkownik,", "description": "", "modified": "2025-09-01T07:52:22.146000", "created": "2025-02-15T23:07:57.937000", "tags": [ "typ pliku", "pe32", "intel", "ms windows", "sha1", "rozmiar", "ascii z", "crlf md5", "ascii", "identyfikator", "z bardzo", "iii dbt", "win32", "win64", "vhash", "rich pe", "sha256", "pejzasz" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 88, "FileHash-SHA256": 208, "URL": 6, "domain": 3, "hostname": 4, "CVE": 2 }, "indicator_count": 410, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "681386d75c34469176686756", "name": "x.com/KulinskiArkadi", "description": "", "modified": "2025-05-31T14:01:10.044000", "created": "2025-05-01T14:36:07.422000", "tags": [ "script", "etag", "sharing", "cors", "mediatype", "mediasubtype", "contenttype", "header", "combination", "compression", "encrypt", "cookie", "critical", "twitter", "iframe", "insert", "info", "error", "suspicious", "find", "screen", "grok", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 471, "CIDR": 34, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 1177, "domain": 214, "hostname": 430, "email": 2 }, "indicator_count": 2342, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "364 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "66d0c4cb716b88c464c666c3", "name": "The Best Buy Virus - Spreads Via Bluetooth, Pre-Boots Bios", "description": "https://any.run/report/c6240ca88eed5b237451d4ceab51a5df1e8bc3b0a4a0e099fbe4b9f0d5cf23a2/bb5def03-bc05-461a-8f31-dac27aa379a3#i-table-processes-e4bd3114-7005-4ba7-96c9-337696f5c010\n\nFormerly referred to as WhinySuckyBaby before Best Buy Corporate elected to completely avoid all responsibility for the virus that they are spreading to anyone that walks into those stores. Infection is proven and on video at: Https://BiosVir.us or https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "modified": "2025-05-15T09:15:39.493000", "created": "2024-08-29T18:58:19.338000", "tags": [ "Bios", "Virus", "Sucky", "Bluetooth", "CryptoMining", "Keylogging", "Crypto", "Euif", "Best", "Persistant", "Survives Reformat", "No Help", "Buy", "WhinySuckyBaby", "Squad", "Whiny", "Mark Monitor", "Digital Stalking", "Best Buy", "Baby", "w3.org", "Geek" ], "references": [ "", "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806", "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "Https://BiosVir.us", "Https://BluetoothVirus.com", "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061", "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 13, "follower_count": 0, "vote": 0, "author": { "username": "Jeff4Son", "id": "291365", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 420, "FileHash-SHA256": 966, "URL": 620, "domain": 531, "hostname": 1564, "email": 6, "SSLCertFingerprint": 13 }, "indicator_count": 4542, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "664b74b2683dec84891aef96", "name": "PrivateLoader is a malware with a module structure that has the capability is to download and execute one or several payloads", "description": "http://185.172.128.69/batushka/inte.exe \nhttp://185.172.128.69/allnewumm.exe\nhttp://185.172.128.69/brandumma.exe\nhttp://185.172.128.69/files\nhttp://185.172.128.69/files/US.file\nhttp://185.172.128.69/latestumma.exe\nhttp://185.172.128.69/newumma.exe\nhttp://185.172.128.69/sekundumma.exe\nhttp://185.172.128.69/ummanew.exe", "modified": "2024-10-14T20:36:05.361000", "created": "2024-05-20T16:05:06.313000", "tags": [ "stdin via", "nextron", "powershell id", "powershell", "tim rauch", "elastic", "script block", "logging", "pe32", "ms windows", "intel", "nazwa typ", "md5 nazwa", "procesu" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7268, "domain": 1310, "URL": 8101, "FileHash-SHA1": 1615, "hostname": 2590, "FileHash-MD5": 1852, "email": 267, "SSLCertFingerprint": 3, "CIDR": 38, "CVE": 7, "IPv4": 15, "YARA": 4 }, "indicator_count": 23070, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "667af85fe8fea6365adaa65d", "name": "Norton & Norton Lifelock Products", "description": "Just taking a pak at some Norton-Related Problems\n(03.11.24): https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "modified": "2024-09-29T20:01:29.028000", "created": "2024-06-25T17:03:27.155000", "tags": [ "entity", "please", "javascript", "xwwmwh4cg2hpw" ], "references": [ "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)" ], "public": 1, "adversary": "Norton Norton Lifelock Telus", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 54, "FileHash-SHA256": 831, "URL": 1120, "domain": 181, "hostname": 261 }, "indicator_count": 2497, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "655 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "66933b9c8be1a5b9e24de941", "name": "Worm:Win32/Enosch - Affecting YouTube, Google and more", "description": "", "modified": "2024-08-13T02:01:24.759000", "created": "2024-07-14T02:44:44.457000", "tags": [ "june", "october", "july", "tracking", "december", "apple ios", "relacionada", "partru", "plugx", "cryptbot", "hacktool", "lockbit", "as8075", "united", "slot1", "mascore2", "bcnt1", "nct1", "arc1", "ems1", "auth1", "localeenus", "date", "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "unknown", "asnone united", "as14061", "status", "creation date", "name servers", "cname", "next", "passive dns", "as15169 google", "gmt cache", "sameorigin", "443 ma2592000", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "as63949 linode", "html", "gmt content", "moved", "encrypt", "body", "record value", "emails", "domain name", "error", "code", "algorithm", "key usage", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "identifier", "x509v3 crl", "first", "as6185 apple", "japan", "as8068", "as714 apple", "aaaa", "as32244 liquid", "nxdomain", "as44273 host", "script urls", "meta", "as31154 toyota", "belgium unknown", "belgium", "pulse submit", "url analysis", "win32 exe", "android", "servers", "files", "name", "domain", "ashley", "sylvia", "sonja", "file type", "karin", "gina", "christine", "kathrin", "sandy" ], "references": [ "http://www.google.com/images/errors/robot.png", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "nr-data.net [Apple Private Data Collection]", "47.courier-push-apple.com.akadns.net", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 146, "FileHash-SHA1": 126, "FileHash-SHA256": 1422, "URL": 377, "domain": 889, "hostname": 418, "SSLCertFingerprint": 1, "email": 10 }, "indicator_count": 3389, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "656 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "64f37719db054ccde25aa9df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:37.269000", "created": "2023-09-02T17:55:37.269000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "1001 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "64f3771616d9a9891947e4df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:34.095000", "created": "2023-09-02T17:55:34.095000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "1001 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "628d95bd59109416c444c985", "name": "The infectors and The infected - string.dmp", "description": "", "modified": "2022-06-24T00:01:00.706000", "created": "2022-05-25T02:34:37.956000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "references": [ "", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "dbixs_rev.h", "appleremotesupport.com \u2022 remotelyanywhere.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "rpc", "arm64e-apple-macos.swiftinterface", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "zprofile", "MultipeerConnectivity.h", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "MCPeerID.h", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "bounce.cf.default", "master.cf.default", "http://212.33.237.86/images/1/report.php", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "master.cf", "Change all credentials from a separate, clean network.", "man.conf", "Names: testpaging upof6w.exe", "47.courier-push-apple.com.akadns.net", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "makedefs.out", "preboot_archive_errors.log", "rmtab", "main.cf", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/summary", "Because LogMeIn is a legitimate remote management tool used by actual IT departments,", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "https://unicef.se/assets/apple", "disk_structure.txt", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "launchagents.txt", "kexts.txt", "transport", "launchdaemons.txt", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "LDAP.tbd", "main.cf.proto", "sharingPreferences.csv", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "Https://BiosVir.us", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "access", "sudoers", "custom-error.html", "zshrc_Apple_Terminal", "systemControls.csv", "group", "smb.conf", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "MultipeerConnectivity.apinotes", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "rc.netboot", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "MCNearbyServiceBrowser.h", "networks", "interfaceDetails.csv", "CodeResources", "hook_op_check.h", "generic", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "convenience.map", "com.apple.screensharing.agent.launchd", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "If possible: Move to Switzerland", "MultipeerConnectivity.tbd", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "interfaceAddrs.csv", "mounts.csv", "autofs.conf", "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "bashrc", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "AppleFirmwareUpdate.tbd", "https://cdn.console.gotoresolve.com/applet", "mounts.txt", "configuring.html", "pf.os", "http://watchhers.net/index.php", "http://www.google.com/images/errors/robot.png", "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "main.cf.default", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "kern_loader.conf", "profile", "caching.html", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "header_checks", "csh.cshrc", "module.modulemap", "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/iocs", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "ntp.conf", "battery.csv", "security_status.txt", "http://x.com/denverpolice/status/", "arm64e-apple-ios-macabi.swiftinterface", "certificates.csv", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "aliases", "APConfigurationSystem.tbd", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "relocated", "ntp_opendirectory.conf", "master.cf.proto", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "nfs.conf", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "dbd_xsh.h", "Immediate Recommendations: Disconnect all routers and isolate the network.", "csh.login", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "users.csv", "mail.rc", "sharedFolders.csv", "auto_master", "version.plist", "rc.common", "Ransom: message.htm.com", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Https://BluetoothVirus.com", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "BUILDING", "gettytab", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "remoteexecution-runner-api.services.gotoresolve.com", "command_args.json", "newsyslog.conf", "virtual", "crashes.csv", "locate.rc", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "TLS_LICENSE", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6", "process_list.txt", "launchD.csv", "pf.conf", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "firebaseremoteconfig.googleapis.com", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Info.plist", "bind.html", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "systemInfo.csv", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "resolv.conf", "Fastly Error and Palantir blocked several times over the last few months.", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "applications.csv", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "notify.conf", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "rtadvd.conf", "sudo_lecture", "dbi_sql.h", "Amazonaws.com \u2022 Amazon.com", "content-negotiation.html", "Yara Detections: is__elf", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "index.html.en", "ftpusers", "auto_home", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "shells", "sipConfig.csv", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "postfix-files", "xtab", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "Pool's Closed", "lber.h", "user_launchagents.txt", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "MCSession.h", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "managedPolicies.csv", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "find.codes", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "diskEncryption.csv", "protocols", "x86_64-apple-macos.swiftinterface", "custom_header_checks", "apfs_boot_mount.tbd", "Matches rule SURICATA Applayer Detect protocol only one direction", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "ldap.h", "canonical", "ttys", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "paths", "bashrc_Apple_Terminal", "irbrc", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "LocalAuthentication.tbd", "MCAdvertiserAssistant.h", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "etcHosts.csv", "DBIXS.h", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "zshrc", "AOSKit.tbd", "manpaths", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "dbivport.h", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "afpovertcp.cfg", "MCError.h", "MCNearbyServiceAdvertiser.h", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "csh.logout", "nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "Pool Closed", "472.dmp.strings", "to act as their human-controlled, \"living off the land\" command station.", "MCBrowserViewController.h", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "Admin.tbd", "AirPlayReceiver.tbd", "kernel.csv", "asl.conf", "Driver_xst.h", "passwd", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "syslog.conf", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "usbDevices.csv", "x86_64-apple-ios-macabi.swiftinterface", "chromeExtensions.csv", "LICENSE", "by pulling its primary files over public SMB shares." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group", "Norton Norton Lifelock Telus" ], "malware_families": [ "Trojan:win32/zombie.a", "Alf:trojan:win32/cassini_6d4ebdc9!ibt", "Ransom:win32/crowti.a", "Win32/vflooder.b vtapi dos", "Firstname", "Worm:win32/enosch!atmn", "W32.aidetectmalware.cs", "Win32:renos-ky\\ [trj]", "Trojan:win32/qqpass", "Pup/hacktool", "Win.trojan.agent-752791", "Win.virus.pioneer-9111434-0", "Win32:malware-gen", "Win.malware.vtflooder-6723768-0", "Win.downloader.nemucod-6769668-0", "Lastname", "Win32/vflooder.b checkin", "Worm:win32/pykspa.c", "Trojan:win32/neconyd.a", "Trojanspy:win32/nivdort.cw", "Win32:trojan-gen", "Win.trojan.downloader-63174", "Win.trojan.hupigon-6989556-0", "Pws:win32/qqpass.fc", "Doc.downloader.emotetred02220-9938909-0", "#lowfi:suspicioussectionname", "Win.malware.jaik-9968280-0", "Multiple malware\u2019s , trojans and rats", "Backdoor.xtreme", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Trojandownloader:js/swabfex.p", "Clicker.bgou", "Win.dropper.qqpass-9895638-0", "Win.trojan.gh0strat-9955419-1", "Trojan.systembc/yxgdgz", ", win.worm.pykspa-6057105-0", "Emotet", "Win.trojan.vundo-7170412-0", "Wannacry", "Win.malware.urelas-9863836-0", "Virus:win32/floxif.h", "Trojandropper:win32/cutwail.gen!k" ], "industries": [ "Education", "Government", "Healthcare", "Media", "Technology", "Ad fraud", "Telecommunications" ] } } }, "false_positive": [], "validation": [], "asn": "AS6805 telefonica germany gmbh & co.ohg", "city_data": true, "city": null, "region": null, "continent_code": "EU", "country_code3": "DEU", "country_code2": "DE", "subdivision": null, "latitude": 51.2993, "postal_code": null, "longitude": 9.491, "accuracy_radius": 200, "country_code": "DE", "country_name": "Germany", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/de.png", "flag_title": "Germany", "sections": [ "general", "geo", "reputation", "url_list", "passive_dns", "malware", "nids_list", "http_scans" ] }, "geo": { "asn": "AS6805 telefonica germany gmbh & co.ohg", "city_data": true, "city": null, "region": null, "continent_code": "EU", "country_code3": "DEU", "country_code2": "DE", "subdivision": null, "latitude": 51.2993, "postal_code": null, "longitude": 9.491, "accuracy_radius": 200, "country_code": "DE", "country_name": "Germany", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/de.png", "flag_title": "Germany" }, "geo_ipapicom": { "country": "Germany", "country_code": "DE", "region": "Bavaria", "city": "Munich", "zip": "80331", "latitude": 48.1769, "longitude": 11.5327, "timezone": "Europe/Berlin", "isp": "Telefonica Germany GmbH & Co. OHG", "org": "Telefonica Germany GmbH & Co.OHG", "asn": "AS6805 Telefonica Germany GmbH & Co.OHG", "asn_name": "TDDE-ASN1", "is_proxy": false, "is_hosting": false, "source": "ip-api.com" }, "pulse_count": 26, "pulses": [ { "id": "6a1b57af6e1986d0628bca12", "name": "SystemBC RAT, Quant Loader, and LogMeIn.com, combined to execute a multi-stage Corporate Styled Network Intrusion", "description": "\"Living off the Land\" Takeover (LogMeIn.com)\u201c\nINCIDENT REPORT: HIGH-VALUE TARGET NETWORK INTRUSION Threat Profile: Human-operated corporate-grade attack chain targeting an isolated device.Vector: Local network exposure (compromised router/neighboring device) or physical media (USB).Attack Chain Stages:Quant Script: Obfuscated entry file bypassing network filters.SystemBC RAT: Creates a silent, persistent SOCKS5/Tor tunnel for attacker commands.LogMeIn Abuse: Attackers use legitimate remote software to control the device undetected.Crowti (CryptoWall): Final ransomware payload to encrypt high-value data.Key Observations: Because the target device lacked direct internet access, adversaries are actively abusing the local network infrastructure or physical proximity to bridge the gap. \n\nI\u2019m open to other opinions regarding this report. I have been unwell and my thinking has been unclear and even off as I focus on getting well.\nThank you.", "modified": "2026-05-30T21:33:35.237000", "created": "2026-05-30T21:33:35.237000", "tags": [ "united", "unknown aaaa", "servers", "certificate", "urls", "logmein", "ipv4", "url analysis", "files", "america flag", "level", "data upload", "extraction", "failed", "enter sc", "extri data", "include review", "stop typ", "domain don", "united states", "america asn", "net20525119201", "amazon data", "net20525119202", "address range", "cidr", "network name", "allocation type", "whois server", "entity adsn1", "handle", "sc data", "netherlands asn", "as204601 zomro", "dns resolutions", "log id", "gmtn", "timestamp", "tls web", "expiresfri", "path", "httponly", "salford", "sectigo limited", "sectigo rsa", "accept", "organization", "false", "authentication", "ocsp", "c179044d", "b89a", "d4n timestamp", "df9b", "post na", "lredmond", "stwa", "cnmicrosoft tls", "g2 rsa", "ca ocsp", "rmm domain", "search", "flashpix", "write", "unknown", "malware", "encrypt", "high", "medium", "write c", "template", "registers", "moved", "record value", "tls sni", "observed rmm", "omicrosoft", "stwashington", "server ca", "extr data", "error", "a50 data", "pattern match", "ascii text", "mitre att", "ck id", "general", "local", "click", "strings", "u extractio", "extrac data", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "signing defense", "discovery att", "code signing", "defense evasion", "t1480.002", "mrasn", "cachecontrol", "connection", "date tue", "gmt etag", "self", "etag w/\"leknjhepnj99sn\"", "name servers", "extre data", "observed dns", "query", "show", "localsm05208304", "localsm03520304", "title error", "all ipv4", "reverse dns", "as14618", "extraction data", "creato touc", "digice rsa", "sh certific", "hid iv", "trojandropper", "backdoor", "present may", "please", "x msedge", "exploit", "as8068", "av detection", "ratio", "ids detections", "content length", "content type", "x powered", "asn as16509", "x vercel", "vercel", "gmt content", "ransom", "dynamicloader", "msie", "windows nt", "wow64", "slcc2", "media center", "sysv", "buildid", "germany as8560", "yara detections", "contacted", "elf", "filehash", "av detections", "alerts", "analysis date", "file score", "low risk", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "elf info", "progbits", "offset size", "flags", "null", "hashes o", "get http", "post http", "entries", "trojan", "pegasus", "apple", "amazonaws", "smtp", "self-delete", "service-scan", "applayer", "madagascar", "qnapcrypt", "mal_elf_systembc_rat", "rat", "hacktool code", "systembc", "t1064", "create", "modify system", "process", "t1543 privile", "ta0004 cr", "t1543", "creation date", "whois show", "emails", "name logmein", "org logmein", "summer st", "date hash", "avast avg", "mtb jul", "k jun", "ai", "ai report", "appleremotesupport", "remotelyanywhere", "pegasus related" ], "references": [ "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "Amazonaws.com \u2022 Amazon.com", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "http://212.33.237.86/images/1/report.php", "http://watchhers.net/index.php", "remoteexecution-runner-api.services.gotoresolve.com", "firebaseremoteconfig.googleapis.com", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "Yara Detections: is__elf", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "Names: testpaging upof6w.exe", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "https://cdn.console.gotoresolve.com/applet", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "to act as their human-controlled, \"living off the land\" command station.", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "by pulling its primary files over public SMB shares.", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "Because LogMeIn is a legitimate remote management tool used by actual IT departments,", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "appleremotesupport.com \u2022 remotelyanywhere.com", "Immediate Recommendations: Disconnect all routers and isolate the network.", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "Change all credentials from a separate, clean network.", "If possible: Move to Switzerland" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "TrojanDownloader:JS/Swabfex.P", "display_name": "TrojanDownloader:JS/Swabfex.P", "target": "/malware/TrojanDownloader:JS/Swabfex.P" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen!K", "display_name": "TrojanDropper:Win32/Cutwail.gen!K", "target": "/malware/TrojanDropper:Win32/Cutwail.gen!K" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win.Trojan.Hupigon-6989556-0", "display_name": "Win.Trojan.Hupigon-6989556-0", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 275, "FileHash-SHA1": 243, "FileHash-SHA256": 1320, "URL": 897, "domain": 796, "email": 7, "hostname": 783, "IPv4": 446, "CIDR": 2, "SSLCertFingerprint": 33 }, "indicator_count": 4802, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "11 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 1 }, { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69eae3465a9cbe437bca96df", "name": "[The infectors and The infected - string.dmp] credit: DorkingBeauty1 Cloned", "description": "", "modified": "2026-04-24T03:28:06.951000", "created": "2026-04-24T03:28:06.951000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "628d95bd59109416c444c985", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69a3c685d4b7c139ffe62930", "name": "Clone Pulse Reference", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T04:54:29.384000", "tags": [ "ipv4", "active related", "trojandropper", "mtb jun", "lowfi", "trojan", "mtb jan", "fastly error", "please", "united", "ttl value", "get na", "total", "delete", "search", "yara detections", "sinkhole cookie", "value snkz", "write", "suspicious", "ransom", "malware", "Ransom.Win32.Birele.gsg Checkin", "AnubisNetworks Sinkhole Cookie Value Snkz", "Possible Compromised Host", "dynamicloader", "delete c", "default", "medium", "write c", "settingswpad", "intel", "ms windows", "users", "number", "title", "installer", "top source", "top destination", "source source", "port", "filehash", "av detections", "ids detections", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "ids signatures", "exploits", "sid name", "malware cve", "dns query", "dnsbin demo", "data exfil", "exif data", "DNS Query for Webhook/HTTP Request Inspection Service (x .pipedr", "DNSBin Demo (requestbin .net) - Data Exfitration", "source port", "destination", "present sep", "script urls", "script script", "a domains", "script domains", "ip address", "meta", "present nov", "passive dns", "next associated", "domain add", "pe executable", "entries", "show", "msie", "windows nt", "wow64", "copy", "present jan", "present feb", "domain", "pulse pulses", "urls", "files", "tam legal", "christopher ahmann", "https://unicef.se/assets/apple", "treece alfrey", "hours ago", "information", "report spam", "ahmann colorado", "state", "special cousel", "created", "expiro", "capture" ], "references": [ "Fastly IP Block: 151.101.0.0/16 | Organizations like Palantir may use third-party services such as Fastly's CDN", "Fastly Error and Palantir blocked several times over the last few months.", "Denver ; ISP, Fastly, Inc. ; Organization, Fastly, Inc. ; Network, AS54113 Fastly, Inc. (VPN, CDN, DDOSM,)", "IP Region, Quebec. City ; Net Range, 151.101.0.0 - 151.101.255.255. CIDR ; Full Name, Fastly, Inc.", "Palantir quasi government client Ab/using Palantir subdomains , Fastly is CDN", "Yara: SUSP_ENV_Folder_Root_File_Jan23_1 %APPDATA%\\ewiuer2.exe SCRIPT", "Win.Trojan.Vundo-7170412-0\t#Lowfi:SuspiciousSectionName", "Link below used to defraud Tsara to think she\u2019d violated Patriot Act warranting NSA , Palinter espionage", "https://unicef.se/assets/apple" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "PWS:Win32/QQpass.FC", "display_name": "PWS:Win32/QQpass.FC", "target": "/malware/PWS:Win32/QQpass.FC" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Urelas-9863836-0", "display_name": "Win.Malware.Urelas-9863836-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Win.Trojan.Vundo-7170412-0", "display_name": "Win.Trojan.Vundo-7170412-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Multiple Malware\u2019s , Trojans and Rats", "display_name": "Multiple Malware\u2019s , Trojans and Rats", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6906bd99cadbd4140014c6af", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 909, "domain": 454, "hostname": 1404, "URL": 3557, "CIDR": 1, "FileHash-MD5": 242, "FileHash-SHA1": 185, "email": 1, "CVE": 1 }, "indicator_count": 6754, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "695ca8b688eb56b3a0247098", "name": "System32 - Subfolders", "description": "E:\\Suss-SG2\\System32 - Subfolders.zip", "modified": "2026-02-05T06:03:21.110000", "created": "2026-01-06T06:16:22.880000", "tags": [ "tue apr", "scanid", "mon mar", "archivesize", "archivesha1", "archivesha256", "archivecreated", "f archiveowner", "sigtype1", "sigclass1", "look", "powershell", "first", "strings", "dllinject", "june", "span", "error", "fail", "rooter", "info", "alphabet", "false", "path", "service", "dword", "shell", "model", "assistant", "code", "syst", "checker", "rest", "core", "tencent", "null", "accept", "open", "pass", "internal", "meta", "root", "desktop", "window", "maximu", "stream", "android", "comp", "date", "whirlpool", "kevin", "sett", "locale", "cloud", "malware", "class" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 148, "CIDR": 2, "FileHash-MD5": 9860, "FileHash-SHA1": 10592, "FileHash-SHA256": 8443, "domain": 147, "email": 6, "hostname": 49 }, "indicator_count": 29247, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "115 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69589ae12fa3212a68dfd1c7", "name": "C:\\Windows\\system32\\free", "description": "C:\\Windows\\system32\\free", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-03T04:28:17.166000", "tags": [ "sat dec", "hx83xec", "packages", "mon jun", "owner rights", "scanid", "regqueryvalue", "malware file", "mz created", "desc", "look", "dllinject", "service", "null", "defender", "malware", "desktop", "window", "shell", "june" ], "references": [ "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/summary", "https://www.virustotal.com/gui/collection/7299f01709307424448f6b62c4083fd5ccbaa4fbce3143947cb3f4742095d593/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 258, "FileHash-SHA1": 120, "FileHash-SHA256": 118, "URL": 52, "domain": 2, "email": 6, "hostname": 16 }, "indicator_count": 572, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "5.5.7.3", "type": "IPv4" }, "abuseipdb": { "error": "AbuseIPDB daily limit reached (1,000/day).", "indicator": "5.5.7.3" }, "urlhaus": { "indicator": "5.5.7.3", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780216545.020873 }