{ "type": "Domain", "indicator": "acehigh.host", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/acehigh.host", "alexa": "http://www.alexa.com/siteinfo/acehigh.host", "indicator": "acehigh.host", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3684150391, "indicator": "acehigh.host", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-06-01T00:38:49.108000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64327, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880083, "is_author": false, "is_subscribing": null, "subscriber_count": 301, "modified_text": "23 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5828f8217ecbe6ce3a89b", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:29:19.302000", "created": "2024-03-16T11:29:19.302000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "807 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5827a4e23b095e5af5f44", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:28:58.984000", "created": "2024-03-16T11:28:58.984000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "807 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f582700d35b0e7c8dd9df8", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:28:48.062000", "created": "2024-03-16T11:28:48.062000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "807 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5823b9d7bc6b422256296", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:27:55.808000", "created": "2024-03-16T11:27:55.808000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "807 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e1ece3b935bda6b9d3e10b", "name": "Cyber espionage & Ransomware attacks spread via Phone call? II.", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-03-01T14:57:39.828000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 88, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "818 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c970ef974adf44ef24c9a2", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-12T01:14:23.337000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "818 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c09e487b3899f3442aed96", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-05T08:37:28.774000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c012b5e56cc9474ebb701f", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "818 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c012b5e56cc9474ebb701f", "name": "Cyber espionage & Ransomware attacks spread via Phone calls", "description": "Very strange and critical occurrences of businesses, healthcare facilities and individuals becoming part of a botnet and hacking attack when call connects with certain individuals. Healthcare facilities may be spreading this very critical vulnerability. Attacker has access to every device & camera of affected.\n*Smoke Loader\nSmoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-04T22:41:55.432000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "818 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c61923e63397d724a43", "name": "InQuest - 09-06-2023", "description": "", "modified": "2023-12-06T16:08:01.857000", "created": "2023-12-06T16:08:01.857000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 646, "URL": 1514, "FileHash-SHA256": 1056, "hostname": 214, "FileHash-MD5": 519, "FileHash-SHA1": 29 }, "indicator_count": 3978, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c571c9c316a625073ca", "name": "InQuest - 08-06-2023", "description": "", "modified": "2023-12-06T16:07:51.761000", "created": "2023-12-06T16:07:51.761000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 614, "URL": 1499, "FileHash-SHA256": 1096, "hostname": 194, "FileHash-MD5": 525, "FileHash-SHA1": 30 }, "indicator_count": 3958, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c42bdd32cb4b343a12d", "name": "InQuest - 07-06-2023", "description": "", "modified": "2023-12-06T16:07:30.911000", "created": "2023-12-06T16:07:30.911000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 597, "URL": 1478, "FileHash-SHA256": 1085, "hostname": 194, "FileHash-MD5": 585, "FileHash-SHA1": 30 }, "indicator_count": 3969, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c38b077f9845318a1bd", "name": "InQuest - 06-06-2023", "description": "", "modified": "2023-12-06T16:07:20.769000", "created": "2023-12-06T16:07:20.769000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 588, "URL": 1333, "FileHash-SHA256": 1033, "hostname": 194, "FileHash-MD5": 650, "FileHash-SHA1": 20 }, "indicator_count": 3818, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c28940b00211baa2ab1", "name": "InQuest - 05-06-2023", "description": "", "modified": "2023-12-06T16:07:04.724000", "created": "2023-12-06T16:07:04.724000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 586, "URL": 1326, "FileHash-SHA256": 1010, "hostname": 194, "FileHash-MD5": 649, "FileHash-SHA1": 20 }, "indicator_count": 3785, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c10598d34d706aa38cc", "name": "InQuest - 04-06-2023", "description": "", "modified": "2023-12-06T16:06:40.387000", "created": "2023-12-06T16:06:40.387000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 152, "URL": 681, "FileHash-SHA256": 948, "hostname": 155, "FileHash-MD5": 436, "FileHash-SHA1": 15 }, "indicator_count": 2387, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c0b9e15831f34058433", "name": "InQuest - 03-06-2023", "description": "", "modified": "2023-12-06T16:06:35.322000", "created": "2023-12-06T16:06:35.322000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 152, "URL": 681, "FileHash-SHA256": 948, "hostname": 155, "FileHash-MD5": 419, "FileHash-SHA1": 15 }, "indicator_count": 2370, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c07c1f97c4c9fee9c39", "name": "InQuest - 02-06-2023", "description": "", "modified": "2023-12-06T16:06:31.537000", "created": "2023-12-06T16:06:31.537000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 135, "URL": 579, "FileHash-SHA256": 810, "hostname": 125, "FileHash-MD5": 465, "FileHash-SHA1": 9 }, "indicator_count": 2123, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c04ddd28bbd1f135d17", "name": "InQuest - 01-06-2023", "description": "", "modified": "2023-12-06T16:06:28.147000", "created": "2023-12-06T16:06:28.147000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 135, "URL": 579, "FileHash-SHA256": 810, "hostname": 125, "FileHash-MD5": 465, "FileHash-SHA1": 9 }, "indicator_count": 2123, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709bfcda38f943d4e29f3a", "name": "InQuest - 31-05-2023", "description": "", "modified": "2023-12-06T16:06:20.048000", "created": "2023-12-06T16:06:20.048000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 115, "URL": 553, "FileHash-SHA256": 807, "hostname": 125, "FileHash-MD5": 463, "FileHash-SHA1": 9 }, "indicator_count": 2072, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709bee22b27035b5cb4b83", "name": "InQuest - 30-05-2023", "description": "", "modified": "2023-12-06T16:06:06.821000", "created": "2023-12-06T16:06:06.821000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 113, "URL": 527, "FileHash-SHA256": 791, "hostname": 125, "FileHash-MD5": 468, "FileHash-SHA1": 9 }, "indicator_count": 2033, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709be3808aed5d8ee43d1b", "name": "InQuest - 29-05-2023", "description": "", "modified": "2023-12-06T16:05:55.341000", "created": "2023-12-06T16:05:55.341000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 102, "URL": 444, "FileHash-SHA256": 730, "hostname": 114, "FileHash-MD5": 480, "FileHash-SHA1": 9 }, "indicator_count": 1879, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709bd40c5afa53c1c8c974", "name": "InQuest - 28-05-2023", "description": "", "modified": "2023-12-06T16:05:40.090000", "created": "2023-12-06T16:05:40.090000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 100, "URL": 440, "FileHash-SHA256": 729, "hostname": 114, "FileHash-MD5": 480, "FileHash-SHA1": 9 }, "indicator_count": 1872, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709bbb76d0def1cdaaa36f", "name": "InQuest - 27-05-2023", "description": "", "modified": "2023-12-06T16:05:15.099000", "created": "2023-12-06T16:05:15.099000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 100, "URL": 440, "FileHash-SHA256": 729, "hostname": 114, "FileHash-MD5": 481, "FileHash-SHA1": 9 }, "indicator_count": 1873, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995af8d4a3461031898b", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-10-02T00:00:29.692000", "created": "2023-08-24T17:54:34.404000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "973 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507dcf477ef9466c2de35e3", "name": "HIVE (Pulse created by RVS_i_am)", "description": "For more information, please see:\n\nContact info: wnd5xkus@duck.com / kcqhf2ok@duck.com (Email & Phone has 'not been very effective' means of communication)\nTwitter: @NorrisN60014\nDiscord: inawj_2\nMastadon: Disable_Duck@nerdculture.de\n\nOther:\nAlienVault: DISABLE_DUCK\nFileScan: DISABLE_DUCK\nMetadefender: red_snow_ak3jzram", "modified": "2023-09-18T05:15:32.926000", "created": "2023-09-18T05:15:32.926000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "64fa30d707f35d3c9d8bd1cd", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "987 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507dcf100d8bde09b555013", "name": "HIVE (Pulse created by RVS_i_am)", "description": "", "modified": "2023-09-18T05:15:29.671000", "created": "2023-09-18T05:15:29.671000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "64fa30d707f35d3c9d8bd1cd", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "987 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30d7bc2e4d93884b2a4c", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:43.678000", "created": "2023-09-07T20:21:43.678000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30d707f35d3c9d8bd1cd", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:43.271000", "created": "2023-09-07T20:21:43.271000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30cce362cbd8ba18c887", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:32.701000", "created": "2023-09-07T20:21:32.701000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30c8b0f038985fbce564", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:28.946000", "created": "2023-09-07T20:21:28.946000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30b1c5599ae3fd943671", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:05.125000", "created": "2023-09-07T20:21:05.125000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30a3429961426a8c9f3f", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:51.389000", "created": "2023-09-07T20:20:51.389000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa309b486cb2d0cacbc33e", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:43.518000", "created": "2023-09-07T20:20:43.518000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa309b8869335d1a9e6293", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:43.122000", "created": "2023-09-07T20:20:43.122000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa3090d3eb1de3bad58767", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:32.583000", "created": "2023-09-07T20:20:32.583000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa308c07f35d3c9d8bd1cc", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:28.541000", "created": "2023-09-07T20:20:28.541000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "998 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e799845f4ca1eaee3b9957", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:55:16.165000", "created": "2023-08-24T17:55:16.165000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79960d336b6a4b53c561e", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:40.425000", "created": "2023-08-24T17:54:40.425000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995f5e8231aa87cdddc5", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:39.765000", "created": "2023-08-24T17:54:39.765000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995ece1da1e24e444a27", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:38.909000", "created": "2023-08-24T17:54:38.909000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e799540d4697a46f8f230c", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:28.757000", "created": "2023-08-24T17:54:28.757000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e799240e77a37a1a1fd255", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:40.054000", "created": "2023-08-24T17:53:40.054000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79923528ad3eb11ea884c", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:39.444000", "created": "2023-08-24T17:53:39.444000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7992247e0b22db4bd642a", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:38.528000", "created": "2023-08-24T17:53:38.528000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7991e0e88ef39bef95a12", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:34.071000", "created": "2023-08-24T17:53:34.071000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79918d81a265ff4d3d514", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:28.601000", "created": "2023-08-24T17:53:28.601000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7990cbf87cda6c38013cf", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:16.082000", "created": "2023-08-24T17:53:16.082000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6483b5854450eca17552f24a", "name": "InQuest - 09-06-2023", "description": "", "modified": "2023-07-09T23:00:21.077000", "created": "2023-06-09T23:28:05.492000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 214, "URL": 1514, "FileHash-SHA256": 1056, "domain": 646, "FileHash-MD5": 519, "FileHash-SHA1": 29 }, "indicator_count": 3978, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1058 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64826497cd9780401dde83b3", "name": "InQuest - 08-06-2023", "description": "", "modified": "2023-07-08T23:01:23.198000", "created": "2023-06-08T23:30:31.791000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1096, "FileHash-MD5": 525, "domain": 614, "URL": 1499, "FileHash-SHA1": 30, "hostname": 194 }, "indicator_count": 3958, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1059 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "648112edcfcb068623d87aed", "name": "InQuest - 07-06-2023", "description": "", "modified": "2023-07-07T23:04:34.817000", "created": "2023-06-07T23:29:49.971000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1085, "URL": 1478, "FileHash-MD5": 585, "domain": 597, "FileHash-SHA1": 30, "hostname": 194 }, "indicator_count": 3969, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1060 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "www.supernetforme.com [CnC]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "*Patient PII & PHI at critical risk", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "ddos.dnsnb8.net [CnC]", "https://labs.inquest.net/iocdb", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "http://watchhers.net/index.php. [ data collection]", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://remote.krogerlaw.com", "https://attack.mitre.org/software/S0226/", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "CS IDS Rules: MALWARE Possible Compromised Host", "https://us-bankofamerica.com/PhoneVerification.php/", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://iphones.email [redirection chain]", "https://www.crccolorado.com/dr-adam-sang", "http://www.defi-realty.com/jem9/ [phishing]", "remotewd.com", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "www.pornhub.com [password decryption]", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Ransomexx", "Dangerousobject.multi", "Generic.malware", "Hacktool", "Gen:variant.zusy", "Razy", "Suppobox", "Qakbot", "Relic", "Simda", "Defacement", "Formbook", "Trojan.injector", "Smoke loader", "Ransomware", "Lumma stealer", "Tofsee" ], "industries": [ "Industrial", "Defense", "Healthcare", "Patients", "Government", "Civil society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-06-01T00:38:49.108000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64327, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880083, "is_author": false, "is_subscribing": null, "subscriber_count": 301, "modified_text": "23 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5828f8217ecbe6ce3a89b", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:29:19.302000", "created": "2024-03-16T11:29:19.302000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "807 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5827a4e23b095e5af5f44", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:28:58.984000", "created": "2024-03-16T11:28:58.984000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "807 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f582700d35b0e7c8dd9df8", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:28:48.062000", "created": "2024-03-16T11:28:48.062000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "807 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5823b9d7bc6b422256296", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:27:55.808000", "created": "2024-03-16T11:27:55.808000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "807 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e1ece3b935bda6b9d3e10b", "name": "Cyber espionage & Ransomware attacks spread via Phone call? II.", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-03-01T14:57:39.828000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 88, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "818 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c970ef974adf44ef24c9a2", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-12T01:14:23.337000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "818 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c09e487b3899f3442aed96", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-05T08:37:28.774000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c012b5e56cc9474ebb701f", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "818 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c012b5e56cc9474ebb701f", "name": "Cyber espionage & Ransomware attacks spread via Phone calls", "description": "Very strange and critical occurrences of businesses, healthcare facilities and individuals becoming part of a botnet and hacking attack when call connects with certain individuals. Healthcare facilities may be spreading this very critical vulnerability. Attacker has access to every device & camera of affected.\n*Smoke Loader\nSmoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-04T22:41:55.432000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "818 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c61923e63397d724a43", "name": "InQuest - 09-06-2023", "description": "", "modified": "2023-12-06T16:08:01.857000", "created": "2023-12-06T16:08:01.857000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 646, "URL": 1514, "FileHash-SHA256": 1056, "hostname": 214, "FileHash-MD5": 519, "FileHash-SHA1": 29 }, "indicator_count": 3978, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "acehigh.host", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "acehigh.host", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780358119.4150276 }