{ "type": "Domain", "indicator": "8686c.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/8686c.com", "alexa": "http://www.alexa.com/siteinfo/8686c.com", "indicator": "8686c.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3183304538, "indicator": "8686c.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "154 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709158fffe8e43cf5395ff", "name": "Hostname alsgp0.fds.api.xiaomi.com and M$ signed and secured", "description": "", "modified": "2023-12-06T15:20:56.943000", "created": "2023-12-06T15:20:56.943000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 719, "URL": 1177, "hostname": 409, "domain": 158, "FileHash-MD5": 72, "FileHash-SHA1": 50, "CVE": 1, "email": 7 }, "indicator_count": 2593, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657091100e9f5aa6eb534fb4", "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue", "description": "", "modified": "2023-12-06T15:19:44.839000", "created": "2023-12-06T15:19:44.839000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2410, "hostname": 3653, "domain": 2723, "URL": 442 }, "indicator_count": 9228, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708cee75cb524822443805", "name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120", "description": "", "modified": "2023-12-06T15:02:05.972000", "created": "2023-12-06T15:02:05.972000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6174, "FileHash-SHA256": 1762, "domain": 693, "email": 2, "hostname": 1343, "FileHash-MD5": 115, "FileHash-SHA1": 107, "CVE": 2 }, "indicator_count": 10198, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62f65a8cfdebc1d101ed3e11", "name": "Hostname alsgp0.fds.api.xiaomi.com and M$ signed and secured", "description": "starfield tech certs still in use despite apple revoking a long time ago yet microsoft secure boot resigning via bootliader ??? maybe", "modified": "2022-09-11T00:00:26.117000", "created": "2022-08-12T13:50:04.204000", "tags": [ "apt", "runtime data", "decrypted ssl", "windows nt", "cdn cache", "pcap", "zxxz", "akez", "august", "united", "osint", "flag", "service name", "service", "file sha256", "https://ocsp.starfieldtech.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLw", "Base64", "Apple revoked Starfield tech certs maybe 2 or more years ago" ], "references": [ "https://hybrid-analysis.com/sample/df5b006ffcc47f2d09204068cf9be4fabcd2e978b7537ed7d5081e2283ac643b/62f5832ba20d9e610e54bfda", "** Starfieldtech certs revoked by Apple some time ago but still very much in play!!", "http://ocsp.starfieldtech.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1+30c7dH4b0W1Ws3NcQwg6piOcCAzkUhA== No Expiration\t0\t URL http://ocsp.starfieldtech.com/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQUwPiEZQ6/sVZNPaFToNfxx8ZwqAQUfAwyH6fZMH/EfWijYqihzqsHWycCAQc=", "http://ocsp.starfieldtech.com/MEowSDBGMEQwQjAJBgUrDgMCGgUABBT1ZqtwV0O1KcYi0gdzcFkHM+uArAQUJUWBaFAmOD07LSy+zWrZtj2zZmMCCQC5kPTs88esXw==", "https://ocsp.starfieldtech.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1+30c7dH4b0W1Ws3NcQwg6piOcCAzkUhA==", "BAse 64 encoded" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1177, "domain": 158, "hostname": 409, "FileHash-SHA256": 719, "email": 7, "FileHash-MD5": 72, "CVE": 1, "FileHash-SHA1": 50 }, "indicator_count": 2593, "is_author": false, "is_subscribing": null, "subscriber_count": 397, "modified_text": "1358 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ef13ad6547ed183dba3f3c", "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue", "description": "see im reading that domain as bro ca project", "modified": "2022-08-07T01:21:49.761000", "created": "2022-08-07T01:21:49.761000", "tags": [ "strong", "github", "jump", "github desktop", "sign", "iosrulescript", "quantumult", "boxjs", "chouchoui", "code issues", "contact", "star", "desktop", "stars", "footer", "view", "pull", "wiki security", "unicode", "copy", "wegare123vmt", "phoenix", "jquery", "discord", "ruby", "chinaz", "startpage" ], "references": [ "geosite.dat.html", "https://github.com/blackmatrix7/ios_rule_script" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2410, "hostname": 3653, "URL": 442, "domain": 2723 }, "indicator_count": 9228, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626bdc17d4519e2619a504da", "name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120", "description": "", "modified": "2022-05-30T00:00:40.928000", "created": "2022-04-29T12:37:43.880000", "tags": [ "irr.blizzard.com", "irr.blizzard.com.", "24.105.29.24", "CVE-2018-8120" ], "references": [ "https://hybrid-analysis.com/sample/0046d22f2c6d0d3805d3ac393a5e9a6d22fbdf4c536accc953c0ad6016180e2f/626bcef6f5f0f643c216c84c", "https://hybrid-analysis.com/sample/60efb7ca24b6996a44c919d50ebcffe4092591ab15e6acda03f6a459ee96646e/626bd048a7193d6c1b3e9910", "https://hybrid-analysis.com/sample/95121783365a25ff1016eb630deaf5ee50456295161604553fb27ac30b5f1cfe/626bce701d2fd7781b6f8653", "https://hybrid-analysis.com/sample/e22d8ea5dc8732defed6c17b4bec3fbdf092aa86df4f4b80c768037fd59397ac/626bc2368590ef23a25053b4", "74.203.211.12:1433", "irr.blizzard.com. 24.105.29.24", "https://www.virustotal.com/graph/g909fda2b00874cfcac059078fd24495c5ac4a8b219cd4b8fb8108b19dab31ad8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1343, "URL": 6174, "domain": 693, "FileHash-SHA256": 1762, "FileHash-MD5": 115, "CVE": 2, "FileHash-SHA1": 107, "email": 2 }, "indicator_count": 10198, "is_author": false, "is_subscribing": null, "subscriber_count": 410, "modified_text": "1462 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "https://hybrid-analysis.com/sample/95121783365a25ff1016eb630deaf5ee50456295161604553fb27ac30b5f1cfe/626bce701d2fd7781b6f8653", "CS IDS: Matches rule (http_inspect) invalid status line", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "https://hybrid-analysis.com/sample/0046d22f2c6d0d3805d3ac393a5e9a6d22fbdf4c536accc953c0ad6016180e2f/626bcef6f5f0f643c216c84c", "http://www.anyxxxtube/", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "https://hybrid-analysis.com/sample/df5b006ffcc47f2d09204068cf9be4fabcd2e978b7537ed7d5081e2283ac643b/62f5832ba20d9e610e54bfda", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://hybrid-analysis.com/sample/60efb7ca24b6996a44c919d50ebcffe4092591ab15e6acda03f6a459ee96646e/626bd048a7193d6c1b3e9910", "BAse 64 encoded", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "Services : GoogleChromeElevationService = Delete", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "http://ocsp.starfieldtech.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1+30c7dH4b0W1Ws3NcQwg6piOcCAzkUhA== No Expiration\t0\t URL http://ocsp.starfieldtech.com/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQUwPiEZQ6/sVZNPaFToNfxx8ZwqAQUfAwyH6fZMH/EfWijYqihzqsHWycCAQc=", "geosite.dat.html", "74.203.211.12:1433", "https://ocsp.starfieldtech.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1+30c7dH4b0W1Ws3NcQwg6piOcCAzkUhA==", "https://hybrid-analysis.com/sample/e22d8ea5dc8732defed6c17b4bec3fbdf092aa86df4f4b80c768037fd59397ac/626bc2368590ef23a25053b4", "https://www.virustotal.com/graph/g909fda2b00874cfcac059078fd24495c5ac4a8b219cd4b8fb8108b19dab31ad8", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "http://ocsp.starfieldtech.com/MEowSDBGMEQwQjAJBgUrDgMCGgUABBT1ZqtwV0O1KcYi0gdzcFkHM+uArAQUJUWBaFAmOD07LSy+zWrZtj2zZmMCCQC5kPTs88esXw==", "https://github.com/blackmatrix7/ios_rule_script", "** Starfieldtech certs revoked by Apple some time ago but still very much in play!!", "irr.blizzard.com. 24.105.29.24", "Malware : ClipBanker Entity: Crazy Frost" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Crazy Frost" ], "malware_families": [ "Trojan.disfa/downloader10", "Other malware", "Trojan:win32/zusy", "Alf:heraklezeval:trojan:win32/clipbanker", "Rozena" ], "industries": [ "" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "154 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709158fffe8e43cf5395ff", "name": "Hostname alsgp0.fds.api.xiaomi.com and M$ signed and secured", "description": "", "modified": "2023-12-06T15:20:56.943000", "created": "2023-12-06T15:20:56.943000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 719, "URL": 1177, "hostname": 409, "domain": 158, "FileHash-MD5": 72, "FileHash-SHA1": 50, "CVE": 1, "email": 7 }, "indicator_count": 2593, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657091100e9f5aa6eb534fb4", "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue", "description": "", "modified": "2023-12-06T15:19:44.839000", "created": "2023-12-06T15:19:44.839000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2410, "hostname": 3653, "domain": 2723, "URL": 442 }, "indicator_count": 9228, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708cee75cb524822443805", "name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120", "description": "", "modified": "2023-12-06T15:02:05.972000", "created": "2023-12-06T15:02:05.972000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6174, "FileHash-SHA256": 1762, "domain": 693, "email": 2, "hostname": 1343, "FileHash-MD5": 115, "FileHash-SHA1": 107, "CVE": 2 }, "indicator_count": 10198, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62f65a8cfdebc1d101ed3e11", "name": "Hostname alsgp0.fds.api.xiaomi.com and M$ signed and secured", "description": "starfield tech certs still in use despite apple revoking a long time ago yet microsoft secure boot resigning via bootliader ??? maybe", "modified": "2022-09-11T00:00:26.117000", "created": "2022-08-12T13:50:04.204000", "tags": [ "apt", "runtime data", "decrypted ssl", "windows nt", "cdn cache", "pcap", "zxxz", "akez", "august", "united", "osint", "flag", "service name", "service", "file sha256", "https://ocsp.starfieldtech.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLw", "Base64", "Apple revoked Starfield tech certs maybe 2 or more years ago" ], "references": [ "https://hybrid-analysis.com/sample/df5b006ffcc47f2d09204068cf9be4fabcd2e978b7537ed7d5081e2283ac643b/62f5832ba20d9e610e54bfda", "** Starfieldtech certs revoked by Apple some time ago but still very much in play!!", "http://ocsp.starfieldtech.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1+30c7dH4b0W1Ws3NcQwg6piOcCAzkUhA== No Expiration\t0\t URL http://ocsp.starfieldtech.com/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQUwPiEZQ6/sVZNPaFToNfxx8ZwqAQUfAwyH6fZMH/EfWijYqihzqsHWycCAQc=", "http://ocsp.starfieldtech.com/MEowSDBGMEQwQjAJBgUrDgMCGgUABBT1ZqtwV0O1KcYi0gdzcFkHM+uArAQUJUWBaFAmOD07LSy+zWrZtj2zZmMCCQC5kPTs88esXw==", "https://ocsp.starfieldtech.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1+30c7dH4b0W1Ws3NcQwg6piOcCAzkUhA==", "BAse 64 encoded" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1177, "domain": 158, "hostname": 409, "FileHash-SHA256": 719, "email": 7, "FileHash-MD5": 72, "CVE": 1, "FileHash-SHA1": 50 }, "indicator_count": 2593, "is_author": false, "is_subscribing": null, "subscriber_count": 397, "modified_text": "1358 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ef13ad6547ed183dba3f3c", "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue", "description": "see im reading that domain as bro ca project", "modified": "2022-08-07T01:21:49.761000", "created": "2022-08-07T01:21:49.761000", "tags": [ "strong", "github", "jump", "github desktop", "sign", "iosrulescript", "quantumult", "boxjs", "chouchoui", "code issues", "contact", "star", "desktop", "stars", "footer", "view", "pull", "wiki security", "unicode", "copy", "wegare123vmt", "phoenix", "jquery", "discord", "ruby", "chinaz", "startpage" ], "references": [ "geosite.dat.html", "https://github.com/blackmatrix7/ios_rule_script" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2410, "hostname": 3653, "URL": 442, "domain": 2723 }, "indicator_count": 9228, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626bdc17d4519e2619a504da", "name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120", "description": "", "modified": "2022-05-30T00:00:40.928000", "created": "2022-04-29T12:37:43.880000", "tags": [ "irr.blizzard.com", "irr.blizzard.com.", "24.105.29.24", "CVE-2018-8120" ], "references": [ "https://hybrid-analysis.com/sample/0046d22f2c6d0d3805d3ac393a5e9a6d22fbdf4c536accc953c0ad6016180e2f/626bcef6f5f0f643c216c84c", "https://hybrid-analysis.com/sample/60efb7ca24b6996a44c919d50ebcffe4092591ab15e6acda03f6a459ee96646e/626bd048a7193d6c1b3e9910", "https://hybrid-analysis.com/sample/95121783365a25ff1016eb630deaf5ee50456295161604553fb27ac30b5f1cfe/626bce701d2fd7781b6f8653", "https://hybrid-analysis.com/sample/e22d8ea5dc8732defed6c17b4bec3fbdf092aa86df4f4b80c768037fd59397ac/626bc2368590ef23a25053b4", "74.203.211.12:1433", "irr.blizzard.com. 24.105.29.24", "https://www.virustotal.com/graph/g909fda2b00874cfcac059078fd24495c5ac4a8b219cd4b8fb8108b19dab31ad8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1343, "URL": 6174, "domain": 693, "FileHash-SHA256": 1762, "FileHash-MD5": 115, "CVE": 2, "FileHash-SHA1": 107, "email": 2 }, "indicator_count": 10198, "is_author": false, "is_subscribing": null, "subscriber_count": 410, "modified_text": "1462 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "8686c.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "8686c.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780204120.658385 }