{ "type": "Domain", "indicator": "adnetworkperformance.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/adnetworkperformance.com", "alexa": "http://www.alexa.com/siteinfo/adnetworkperformance.com", "indicator": "adnetworkperformance.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "whitelist", "message": "Whitelisted domain adnetworkperformance.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 142865985, "indicator": "adnetworkperformance.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 19, "pulses": [ { "id": "64ed117e2308a042e50e1e9e", "name": "Investigation of Distribution Vectors and Threat Network Infrastructure", "description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.", "modified": "2025-11-23T23:20:07.571000", "created": "2023-08-28T21:28:30.294000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary", "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac", "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327", "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5", "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53", "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7", "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8", "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500", "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary", "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9", "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs", "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b", "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7", "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188", "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f", "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark", "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light", "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark", "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs", "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs", "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c", "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs", "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f", "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs", "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark", "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark", "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark", "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark", "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark", "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886", "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs", "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 111, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 139, "FileHash-SHA256": 1421, "URL": 9580, "CIDR": 30, "domain": 10205, "email": 12, "hostname": 517612, "IPv4": 11, "CVE": 62 }, "indicator_count": 539308, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675403ebdfc5bb1288b8b0b", "name": "Sakula RAT | Remote Attacks | Mirai | Piracy", "description": "", "modified": "2024-07-21T08:03:04.249000", "created": "2024-06-21T08:56:30.887000", "tags": [ "historical ssl", "remote", "high level", "hackers", "unknown win", "executable", "highly targeted", "cyber attack", "spotify artist", "sakula rat", "div div", "a div", "unknown", "united", "search", "nubile cowgirl", "mommy", "businessman", "slavegirl", "busty brunette", "date", "meta", "name servers", "status", "aaaa", "certificate", "cookie", "next", "log id", "gmtn", "go daddy", "authority", "tls web", "passive dns", "urls", "arizona", "scottsdale", "ca issuers", "false", "virgin islands", "as44273 host", "cname", "as19905", "creation date", "pulses", "trojan", "as22612", "react app", "verizon feed", "error", "typeof e", "body", "path", "info", "trace", "pulse submit", "url analysis", "files", "domain", "files ip", "external", "whois", "window", "as133618", "nxdomain", "coco", "elsa jean", "katrina jade", "amazing girls", "puffy nipples", "all scoreblue", "ipv4", "pulse pulses", "location virgin", "as133775 xiamen", "germany unknown", "florence co", "tsara brashears", "scan endpoints", "ip address", "ip related", "pulses otx", "redacted for", "for privacy", "dnssec", "as49870 alsycon", "as49305 map", "as24940 hetzner", "moved", "a domains", "encrypt", "showing", "expiration date", "as19527 google", "as397240", "get http", "read c", "write c", "et trojan", "dcom port", "possible", "host sinkhole", "write", "win32", "artemis", "malware", "nivdort", "zeus gameover", "copy", "xserver", "apple", "intellectual property theft", "dns replication", "type name", "replication", "domains", "ripe ncc", "ripe network", "whois lookups", "as49870 city", "abuse contact", "orgid", "mohammed zourob", "address", "orgabuseref", "mirai", "honeypot ips", "collection", "referrer", "mirai malware", "relacionada", "mirai 03042024", "bashlite", "sha256", "sha1", "windows nt", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "june", "local", "click", "strings", "contact", "as34788", "title", "body doctype", "html public", "ietfdtd html", "gmt server", "service", "apache", "targeting", "piracy" ], "references": [ "Sakula RAT - www.polarroute.com-CnC", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "appleremotesupport.com", "Remote Attack x12 devices: device-local-2d1dedc1-a9a2-445b-8475-c2a24b9c1f58.remotewd.com", "Win32:Malware-gen : watchhers.net", "89.190.156.61: Backdoor:Linux/Mirai.AY!MTB | Backdoor:Linux/DemonBot.Aa!MTB | Unix.Trojan.Mirai-7100807-0 | Unix.Trojan.Tsunami-6981155-0", "Artemis!88755E38FB0B: http://static.123mediaplayer.com/Styles/Softwares/03652e13_aartemis.zip", "Nivdort: 130.255.191.101 | 192.232.223.67 | 192.64.119.172 | 208.113.243.145", "Bayrob: 173.236.19.82", "Win32:Malware-gen: message.htm.com", "Verizon Feed: https://api.aws.parking.godaddy.com | api.aws.parking.godaddy.com | https://api.aws.parking.godaddy.com/d/search/p/godaddy/xml/domain/multiset/v4/", "Tracking: track.123mediaplayer.com | track4you2me.com | mobiletrackersoft.com | www.tracking.getrobux.gg", "Malvertising: https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | i3.cdn-image.com", "https://esvid.net/video/la-escuelita-especial-de-halloween-tv-ana-emilia-mfYrv_yj7eM.html", "sex.com | xxgayporn.com | http://www.myporncdn.com/ | http://meyzo.com/porn/ww.xxxhorse.virlcom/3", "IDS Detections: ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort | ETPRO TROJAN W32/Bayrob Attempted Checkin 2", "IDS Detections: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz | ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses", "IDS Detections: ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)", "https://otx.alienvault.com/indicator/file/2bf47000e3fd57a0a66f114378e27bc7119657ae0e9f692cfb6add41fdd25d43", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=1313058492&charset=UTF-8&loc=http%3A//yorozuya.miraiserver.com/archives/20716", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=93256626515&charset=utf-8&loc=http%3A//yorozuya.miraiserver.com/archives/10404&referer=http%3A//www.google.co.jp/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D2%26ved%3D0ahUKEwiYv8vl6dHWAhUIf7wKHZD-CeUQFg No Expiration\t0\t URL https://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=94867445544&charset=UTF-8&loc=https%3A//yorozuya.miraiserver.com/archives/21384&referer=http%3A//search.yahoo.co.jp/ No Expiration\t0\t URL https://www.adsbo", "https://www.hybrid-analysis.com/sample/c878607fd780c9bc0d2f66b0c23ee33961c58ad568f4a2f1fe46082185299017/667532fda77e8833a9099b6b" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Germany", "United States of America" ], "malware_families": [ { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null }, { "id": "a variant of Win32/Bayrob.BL", "display_name": "a variant of Win32/Bayrob.BL", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Trojan.Bayrob!gen9", "display_name": "Trojan.Bayrob!gen9", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "HEUR:Trojan.Win32.Generic", "display_name": "HEUR:Trojan.Win32.Generic", "target": null }, { "id": "Mal/Bayrob-C ,", "display_name": "Mal/Bayrob-C ,", "target": null }, { "id": "DownLoader24.56470", "display_name": "DownLoader24.56470", "target": null }, { "id": "Trojan/Win32.Nivdort.C1321145", "display_name": "Trojan/Win32.Nivdort.C1321145", "target": null }, { "id": "Backdoor:Linux/Mirai.AY!MTB", "display_name": "Backdoor:Linux/Mirai.AY!MTB", "target": "/malware/Backdoor:Linux/Mirai.AY!MTB" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6903, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1390, "FileHash-MD5": 97, "FileHash-SHA1": 91, "FileHash-SHA256": 1341, "URL": 3993, "domain": 1903, "email": 11, "SSLCertFingerprint": 4, "CIDR": 2 }, "indicator_count": 8832, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "638 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c09e6935e446f36ee67d16", "name": "Hacked Browser \u2022 DOS \u2022 Sinkholed", "description": "", "modified": "2024-03-05T13:02:33.380000", "created": "2024-02-05T08:38:01.689000", "tags": [ "whois record", "contacted", "ssl certificate", "referrer", "contacted urls", "historical ssl", "resolutions", "siblings domain", "threat roundup", "september", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "execution", "siblings", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "google safe", "creation date", "cpm network", "passive dns", "urls", "search", "expiration date", "name servers", "date", "showing", "unknown", "next", "http response", "final url", "ip address", "status code", "headers date", "files", "apple ios", "urls url", "apple", "password", "domains", "tmobile metro", "hacktool", "ursnif", "malware", "core", "tsara brashears", "copy", "tracker", "highly targeted", "sides with", "nanocore", "ransomexx", "quasar", "maui ransomware", "download", "relic", "monitoring", "installer", "cobalt strike", "phishing", "critical", "emotet", "exploit", "united", "win32upatre jan", "entries", "ipv4", "open", "trojan", "body", "artro", "status", "hostname", "cpm fun", "meta name", "malware stealer trojan evader", "cyber warfare", "urls http", "apple phone", "unlocker", "shell code", "script", "awful", "june", "service", "privateloader", "amadey", "powershell", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs2013", "info compiler", "products id", "vs2013 upd4", "upd4", "header intel", "name md5", "getcursor getdc" ], "references": [ "http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable", "CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Worm:Win32/Mimail.9c74f1f3", "display_name": "Worm:Win32/Mimail.9c74f1f3", "target": "/malware/Worm:Win32/Mimail.9c74f1f3" }, { "id": "Win32.Virlock.Gen.1", "display_name": "Win32.Virlock.Gen.1", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65bf9b6b83552213615b08b6", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1301, "FileHash-SHA1": 717, "FileHash-SHA256": 1520, "URL": 1249, "domain": 564, "hostname": 931, "email": 6, "CVE": 2, "FilePath": 1 }, "indicator_count": 6291, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bf9b6b83552213615b08b6", "name": "Hacked Browser \u2022 DOS \u2022 Sinkholed", "description": "Ongoing attack against targeted individual.", "modified": "2024-03-05T13:02:33.380000", "created": "2024-02-04T14:12:59.815000", "tags": [ "whois record", "contacted", "ssl certificate", "referrer", "contacted urls", "historical ssl", "resolutions", "siblings domain", "threat roundup", "september", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "execution", "siblings", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "google safe", "creation date", "cpm network", "passive dns", "urls", "search", "expiration date", "name servers", "date", "showing", "unknown", "next", "http response", "final url", "ip address", "status code", "headers date", "files", "apple ios", "urls url", "apple", "password", "domains", "tmobile metro", "hacktool", "ursnif", "malware", "core", "tsara brashears", "copy", "tracker", "highly targeted", "sides with", "nanocore", "ransomexx", "quasar", "maui ransomware", "download", "relic", "monitoring", "installer", "cobalt strike", "phishing", "critical", "emotet", "exploit", "united", "win32upatre jan", "entries", "ipv4", "open", "trojan", "body", "artro", "status", "hostname", "cpm fun", "meta name", "malware stealer trojan evader", "cyber warfare", "urls http", "apple phone", "unlocker", "shell code", "script", "awful", "june", "service", "privateloader", "amadey", "powershell", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs2013", "info compiler", "products id", "vs2013 upd4", "upd4", "header intel", "name md5", "getcursor getdc" ], "references": [ "http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable", "CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Worm:Win32/Mimail.9c74f1f3", "display_name": "Worm:Win32/Mimail.9c74f1f3", "target": "/malware/Worm:Win32/Mimail.9c74f1f3" }, { "id": "Win32.Virlock.Gen.1", "display_name": "Win32.Virlock.Gen.1", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1301, "FileHash-SHA1": 717, "FileHash-SHA256": 1520, "URL": 1249, "domain": 564, "hostname": 931, "email": 6, "CVE": 2, "FilePath": 1 }, "indicator_count": 6291, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bf9b680a31915bed66fe9b", "name": "Hacked Browser \u2022 DOS \u2022 Sinkholed", "description": "Ongoing attack against targeted individual.", "modified": "2024-03-05T13:02:33.380000", "created": "2024-02-04T14:12:56.167000", "tags": [ "whois record", "contacted", "ssl certificate", "referrer", "contacted urls", "historical ssl", "resolutions", "siblings domain", "threat roundup", "september", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "execution", "siblings", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "google safe", "creation date", "cpm network", "passive dns", "urls", "search", "expiration date", "name servers", "date", "showing", "unknown", "next", "http response", "final url", "ip address", "status code", "headers date", "files", "apple ios", "urls url", "apple", "password", "domains", "tmobile metro", "hacktool", "ursnif", "malware", "core", "tsara brashears", "copy", "tracker", "highly targeted", "sides with", "nanocore", "ransomexx", "quasar", "maui ransomware", "download", "relic", "monitoring", "installer", "cobalt strike", "phishing", "critical", "emotet", "exploit", "united", "win32upatre jan", "entries", "ipv4", "open", "trojan", "body", "artro", "status", "hostname", "cpm fun", "meta name", "malware stealer trojan evader", "cyber warfare", "urls http", "apple phone", "unlocker", "shell code", "script", "awful", "june", "service", "privateloader", "amadey", "powershell", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs2013", "info compiler", "products id", "vs2013 upd4", "upd4", "header intel", "name md5", "getcursor getdc" ], "references": [ "http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable", "CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Worm:Win32/Mimail.9c74f1f3", "display_name": "Worm:Win32/Mimail.9c74f1f3", "target": "/malware/Worm:Win32/Mimail.9c74f1f3" }, { "id": "Win32.Virlock.Gen.1", "display_name": "Win32.Virlock.Gen.1", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1301, "FileHash-SHA1": 717, "FileHash-SHA256": 1520, "URL": 1249, "domain": 564, "hostname": 931, "email": 6, "CVE": 2, "FilePath": 1 }, "indicator_count": 6291, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e63120b126bc622cfd0a10", "name": "Investigation of Distribution Vectors and Threat Network Infrastructure", "description": "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "modified": "2023-10-31T20:10:08.021000", "created": "2023-08-23T16:17:36.678000", "tags": [ "onedrive", "business", "urls", "please", "javascript" ], "references": [ "jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.stix", "jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.stix", "", "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://ualbertaca-my.sharepoint.com/:f:/g/personal/jwanihad_ualberta_ca/EhLQD31IDHxMo2_PJev991AB8axG-g39-7GRT4V2KfX9Cg?e=FHpCUr" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Panama", "Aruba", "Saint Vincent and the Grenadines", "Mexico", "Costa Rica", "Guatemala", "Netherlands", "Philippines", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 791, "FileHash-MD5": 179, "FileHash-SHA1": 176, "FileHash-SHA256": 977, "domain": 421, "hostname": 1175, "CIDR": 14, "email": 4, "CVE": 1 }, "indicator_count": 3738, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "901 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f152513c2dcc0f4e3406e", "name": "Threat Network Root & Distribution Vectors Probe", "description": "", "modified": "2023-10-30T02:29:57.489000", "created": "2023-10-30T02:29:57.489000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "65133d6945641812c2ccc6ee", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 230, "FileHash-SHA1": 139, "FileHash-SHA256": 1197, "URL": 9276, "CIDR": 16, "domain": 7895, "email": 2, "hostname": 1965 }, "indicator_count": 20720, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "903 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1524792f3064843d826f", "name": "Threat Network Root & Distribution Vectors Probe", "description": "", "modified": "2023-10-30T02:29:56.006000", "created": "2023-10-30T02:29:56.006000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "65133d6945641812c2ccc6ee", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 230, "FileHash-SHA1": 139, "FileHash-SHA256": 1197, "URL": 9276, "CIDR": 16, "domain": 7895, "email": 2, "hostname": 1965 }, "indicator_count": 20720, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "903 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65133d6945641812c2ccc6ee", "name": "Threat Network Root & Distribution Vectors Probe", "description": "", "modified": "2023-09-27T21:01:26.901000", "created": "2023-09-26T20:22:01.290000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "650fda65975555b2dabc023e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 230, "FileHash-SHA1": 139, "FileHash-SHA256": 1197, "URL": 9276, "CIDR": 16, "domain": 7895, "email": 2, "hostname": 1965 }, "indicator_count": 20720, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "935 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650fda65975555b2dabc023e", "name": "Threat Network Root & Distribution Vectors Probe ( disabe_duck curated pulse) ", "description": "", "modified": "2023-09-27T21:01:26.901000", "created": "2023-09-24T06:42:45.462000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "64ed117e2308a042e50e1e9e", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 230, "FileHash-SHA1": 139, "FileHash-SHA256": 1197, "URL": 9276, "CIDR": 16, "domain": 7895, "email": 2, "hostname": 1965 }, "indicator_count": 20720, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "935 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650fd91f936f021cb7a68af9", "name": "Threat Network Framework & Distribution Vectors Probe (curated by disabe_duck)", "description": "", "modified": "2023-09-24T06:37:19.016000", "created": "2023-09-24T06:37:19.016000", "tags": [ "onedrive", "business", "urls", "please", "javascript" ], "references": [ "jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.stix", "jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.stix", "", "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://ualbertaca-my.sharepoint.com/:f:/g/personal/jwanihad_ualberta_ca/EhLQD31IDHxMo2_PJev991AB8axG-g39-7GRT4V2KfX9Cg?e=FHpCUr" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Panama", "Aruba", "Saint Vincent and the Grenadines", "Mexico", "Costa Rica", "Guatemala", "Netherlands", "Philippines", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "64e63120b126bc622cfd0a10", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 789, "FileHash-MD5": 179, "FileHash-SHA1": 176, "FileHash-SHA256": 977, "domain": 416, "hostname": 1042, "CIDR": 14, "email": 3 }, "indicator_count": 3596, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "939 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e6dada5d3a6db8cc1b6854", "name": "Investigation: Distribution Vectors & Threat Network Infrastructure ", "description": "", "modified": "2023-09-22T16:04:29.324000", "created": "2023-08-24T04:21:46.633000", "tags": [ "onedrive", "business", "urls", "please", "javascript" ], "references": [ "jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.stix", "jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.stix" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Panama", "Aruba", "Saint Vincent and the Grenadines", "Mexico", "Costa Rica", "Guatemala", "Netherlands", "Philippines", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "64e63120b126bc622cfd0a10", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 788, "FileHash-MD5": 179, "FileHash-SHA1": 176, "FileHash-SHA256": 977, "domain": 416, "hostname": 1042, "CIDR": 14, "email": 3 }, "indicator_count": 3595, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "941 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "IDS Detections: ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort | ETPRO TROJAN W32/Bayrob Attempted Checkin 2", "jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.stix", "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark", "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8", "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs", "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7", "Sakula RAT - www.polarroute.com-CnC", "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7", "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "Tracking: track.123mediaplayer.com | track4you2me.com | mobiletrackersoft.com | www.tracking.getrobux.gg", "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary", "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c", "sex.com | xxgayporn.com | http://www.myporncdn.com/ | http://meyzo.com/porn/ww.xxxhorse.virlcom/3", "Verizon Feed: https://api.aws.parking.godaddy.com | api.aws.parking.godaddy.com | https://api.aws.parking.godaddy.com/d/search/p/godaddy/xml/domain/multiset/v4/", "Nivdort: 130.255.191.101 | 192.232.223.67 | 192.64.119.172 | 208.113.243.145", "https://otx.alienvault.com/indicator/file/2bf47000e3fd57a0a66f114378e27bc7119657ae0e9f692cfb6add41fdd25d43", "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "https://esvid.net/video/la-escuelita-especial-de-halloween-tv-ana-emilia-mfYrv_yj7eM.html", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=93256626515&charset=utf-8&loc=http%3A//yorozuya.miraiserver.com/archives/10404&referer=http%3A//www.google.co.jp/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D2%26ved%3D0ahUKEwiYv8vl6dHWAhUIf7wKHZD-CeUQFg No Expiration\t0\t URL https://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=94867445544&charset=UTF-8&loc=https%3A//yorozuya.miraiserver.com/archives/21384&referer=http%3A//search.yahoo.co.jp/ No Expiration\t0\t URL https://www.adsbo", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.", "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark", "jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.stix", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042", "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53", "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary", "Malvertising: https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | i3.cdn-image.com", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://ualbertaca-my.sharepoint.com/:f:/g/personal/jwanihad_ualberta_ca/EhLQD31IDHxMo2_PJev991AB8axG-g39-7GRT4V2KfX9Cg?e=FHpCUr", "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark", "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2", "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "appleremotesupport.com", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs", "https://www.hybrid-analysis.com/sample/c878607fd780c9bc0d2f66b0c23ee33961c58ad568f4a2f1fe46082185299017/667532fda77e8833a9099b6b", "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f", "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076", "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac", "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602", "CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]", "Win32:Malware-gen: message.htm.com", "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs", "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327", "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark", "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a", "Win32:Malware-gen : watchhers.net", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "IDS Detections: ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)", "Artemis!88755E38FB0B: http://static.123mediaplayer.com/Styles/Softwares/03652e13_aartemis.zip", "Bayrob: 173.236.19.82", "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark", "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f", "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs", "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark", "89.190.156.61: Backdoor:Linux/Mirai.AY!MTB | Backdoor:Linux/DemonBot.Aa!MTB | Unix.Trojan.Mirai-7100807-0 | Unix.Trojan.Tsunami-6981155-0", "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark", "Remote Attack x12 devices: device-local-2d1dedc1-a9a2-445b-8475-c2a24b9c1f58.remotewd.com", "IDS Detections: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz | ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses", "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b", "http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=1313058492&charset=UTF-8&loc=http%3A//yorozuya.miraiserver.com/archives/20716" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Unknown APT Group(s) / Threat Actor (s)" ], "malware_families": [ "Amadey", "Ransomexx", "Ursnif", "Nanocore rat", "Trojan", "Androidoverlaymalware - mob-s0012", "Backdoor:linux/mirai.ay!mtb", "Worm:win32/mimail.9c74f1f3", "Trojan.bayrob!gen9", "Mal/bayrob-c ,", "Quasar rat", "Win32:malware-gen", "A variant of win32/bayrob.bl", "Artro", "Unix.trojan.tsunami-6981155-0", "Sakula rat", "Heur:trojan.win32.generic", "Downloader24.56470", "Cobalt strike", "Maui ransomware", "Trojan/win32.nivdort.c1321145", "Win32.virlock.gen.1", "Emotet", "Relic", "Hacktool" ], "industries": [ "Healthcare", "Government", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 19, "pulses": [ { "id": "64ed117e2308a042e50e1e9e", "name": "Investigation of Distribution Vectors and Threat Network Infrastructure", "description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.", "modified": "2025-11-23T23:20:07.571000", "created": "2023-08-28T21:28:30.294000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary", "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac", "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327", "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5", "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53", "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7", "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8", "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500", "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary", "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9", "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs", "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b", "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7", "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188", "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f", "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark", "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light", "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark", "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs", "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs", "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c", "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs", "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f", "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs", "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark", "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark", "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark", "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark", "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark", "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886", "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs", "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 111, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 139, "FileHash-SHA256": 1421, "URL": 9580, "CIDR": 30, "domain": 10205, "email": 12, "hostname": 517612, "IPv4": 11, "CVE": 62 }, "indicator_count": 539308, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675403ebdfc5bb1288b8b0b", "name": "Sakula RAT | Remote Attacks | Mirai | Piracy", "description": "", "modified": "2024-07-21T08:03:04.249000", "created": "2024-06-21T08:56:30.887000", "tags": [ "historical ssl", "remote", "high level", "hackers", "unknown win", "executable", "highly targeted", "cyber attack", "spotify artist", "sakula rat", "div div", "a div", "unknown", "united", "search", "nubile cowgirl", "mommy", "businessman", "slavegirl", "busty brunette", "date", "meta", "name servers", "status", "aaaa", "certificate", "cookie", "next", "log id", "gmtn", "go daddy", "authority", "tls web", "passive dns", "urls", "arizona", "scottsdale", "ca issuers", "false", "virgin islands", "as44273 host", "cname", "as19905", "creation date", "pulses", "trojan", "as22612", "react app", "verizon feed", "error", "typeof e", "body", "path", "info", "trace", "pulse submit", "url analysis", "files", "domain", "files ip", "external", "whois", "window", "as133618", "nxdomain", "coco", "elsa jean", "katrina jade", "amazing girls", "puffy nipples", "all scoreblue", "ipv4", "pulse pulses", "location virgin", "as133775 xiamen", "germany unknown", "florence co", "tsara brashears", "scan endpoints", "ip address", "ip related", "pulses otx", "redacted for", "for privacy", "dnssec", "as49870 alsycon", "as49305 map", "as24940 hetzner", "moved", "a domains", "encrypt", "showing", "expiration date", "as19527 google", "as397240", "get http", "read c", "write c", "et trojan", "dcom port", "possible", "host sinkhole", "write", "win32", "artemis", "malware", "nivdort", "zeus gameover", "copy", "xserver", "apple", "intellectual property theft", "dns replication", "type name", "replication", "domains", "ripe ncc", "ripe network", "whois lookups", "as49870 city", "abuse contact", "orgid", "mohammed zourob", "address", "orgabuseref", "mirai", "honeypot ips", "collection", "referrer", "mirai malware", "relacionada", "mirai 03042024", "bashlite", "sha256", "sha1", "windows nt", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "june", "local", "click", "strings", "contact", "as34788", "title", "body doctype", "html public", "ietfdtd html", "gmt server", "service", "apache", "targeting", "piracy" ], "references": [ "Sakula RAT - www.polarroute.com-CnC", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "appleremotesupport.com", "Remote Attack x12 devices: device-local-2d1dedc1-a9a2-445b-8475-c2a24b9c1f58.remotewd.com", "Win32:Malware-gen : watchhers.net", "89.190.156.61: Backdoor:Linux/Mirai.AY!MTB | Backdoor:Linux/DemonBot.Aa!MTB | Unix.Trojan.Mirai-7100807-0 | Unix.Trojan.Tsunami-6981155-0", "Artemis!88755E38FB0B: http://static.123mediaplayer.com/Styles/Softwares/03652e13_aartemis.zip", "Nivdort: 130.255.191.101 | 192.232.223.67 | 192.64.119.172 | 208.113.243.145", "Bayrob: 173.236.19.82", "Win32:Malware-gen: message.htm.com", "Verizon Feed: https://api.aws.parking.godaddy.com | api.aws.parking.godaddy.com | https://api.aws.parking.godaddy.com/d/search/p/godaddy/xml/domain/multiset/v4/", "Tracking: track.123mediaplayer.com | track4you2me.com | mobiletrackersoft.com | www.tracking.getrobux.gg", "Malvertising: https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | i3.cdn-image.com", "https://esvid.net/video/la-escuelita-especial-de-halloween-tv-ana-emilia-mfYrv_yj7eM.html", "sex.com | xxgayporn.com | http://www.myporncdn.com/ | http://meyzo.com/porn/ww.xxxhorse.virlcom/3", "IDS Detections: ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort | ETPRO TROJAN W32/Bayrob Attempted Checkin 2", "IDS Detections: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz | ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses", "IDS Detections: ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)", "https://otx.alienvault.com/indicator/file/2bf47000e3fd57a0a66f114378e27bc7119657ae0e9f692cfb6add41fdd25d43", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=1313058492&charset=UTF-8&loc=http%3A//yorozuya.miraiserver.com/archives/20716", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=93256626515&charset=utf-8&loc=http%3A//yorozuya.miraiserver.com/archives/10404&referer=http%3A//www.google.co.jp/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D2%26ved%3D0ahUKEwiYv8vl6dHWAhUIf7wKHZD-CeUQFg No Expiration\t0\t URL https://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=94867445544&charset=UTF-8&loc=https%3A//yorozuya.miraiserver.com/archives/21384&referer=http%3A//search.yahoo.co.jp/ No Expiration\t0\t URL https://www.adsbo", "https://www.hybrid-analysis.com/sample/c878607fd780c9bc0d2f66b0c23ee33961c58ad568f4a2f1fe46082185299017/667532fda77e8833a9099b6b" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Germany", "United States of America" ], "malware_families": [ { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null }, { "id": "a variant of Win32/Bayrob.BL", "display_name": "a variant of Win32/Bayrob.BL", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Trojan.Bayrob!gen9", "display_name": "Trojan.Bayrob!gen9", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "HEUR:Trojan.Win32.Generic", "display_name": "HEUR:Trojan.Win32.Generic", "target": null }, { "id": "Mal/Bayrob-C ,", "display_name": "Mal/Bayrob-C ,", "target": null }, { "id": "DownLoader24.56470", "display_name": "DownLoader24.56470", "target": null }, { "id": "Trojan/Win32.Nivdort.C1321145", "display_name": "Trojan/Win32.Nivdort.C1321145", "target": null }, { "id": "Backdoor:Linux/Mirai.AY!MTB", "display_name": "Backdoor:Linux/Mirai.AY!MTB", "target": "/malware/Backdoor:Linux/Mirai.AY!MTB" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6903, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1390, "FileHash-MD5": 97, "FileHash-SHA1": 91, "FileHash-SHA256": 1341, "URL": 3993, "domain": 1903, "email": 11, "SSLCertFingerprint": 4, "CIDR": 2 }, "indicator_count": 8832, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "638 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c09e6935e446f36ee67d16", "name": "Hacked Browser \u2022 DOS \u2022 Sinkholed", "description": "", "modified": "2024-03-05T13:02:33.380000", "created": "2024-02-05T08:38:01.689000", "tags": [ "whois record", "contacted", "ssl certificate", "referrer", "contacted urls", "historical ssl", "resolutions", "siblings domain", "threat roundup", "september", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "execution", "siblings", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "google safe", "creation date", "cpm network", "passive dns", "urls", "search", "expiration date", "name servers", "date", "showing", "unknown", "next", "http response", "final url", "ip address", "status code", "headers date", "files", "apple ios", "urls url", "apple", "password", "domains", "tmobile metro", "hacktool", "ursnif", "malware", "core", "tsara brashears", "copy", "tracker", "highly targeted", "sides with", "nanocore", "ransomexx", "quasar", "maui ransomware", "download", "relic", "monitoring", "installer", "cobalt strike", "phishing", "critical", "emotet", "exploit", "united", "win32upatre jan", "entries", "ipv4", "open", "trojan", "body", "artro", "status", "hostname", "cpm fun", "meta name", "malware stealer trojan evader", "cyber warfare", "urls http", "apple phone", "unlocker", "shell code", "script", "awful", "june", "service", "privateloader", "amadey", "powershell", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs2013", "info compiler", "products id", "vs2013 upd4", "upd4", "header intel", "name md5", "getcursor getdc" ], "references": [ "http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable", "CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Worm:Win32/Mimail.9c74f1f3", "display_name": "Worm:Win32/Mimail.9c74f1f3", "target": "/malware/Worm:Win32/Mimail.9c74f1f3" }, { "id": "Win32.Virlock.Gen.1", "display_name": "Win32.Virlock.Gen.1", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65bf9b6b83552213615b08b6", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1301, "FileHash-SHA1": 717, "FileHash-SHA256": 1520, "URL": 1249, "domain": 564, "hostname": 931, "email": 6, "CVE": 2, "FilePath": 1 }, "indicator_count": 6291, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bf9b6b83552213615b08b6", "name": "Hacked Browser \u2022 DOS \u2022 Sinkholed", "description": "Ongoing attack against targeted individual.", "modified": "2024-03-05T13:02:33.380000", "created": "2024-02-04T14:12:59.815000", "tags": [ "whois record", "contacted", "ssl certificate", "referrer", "contacted urls", "historical ssl", "resolutions", "siblings domain", "threat roundup", "september", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "execution", "siblings", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "google safe", "creation date", "cpm network", "passive dns", "urls", "search", "expiration date", "name servers", "date", "showing", "unknown", "next", "http response", "final url", "ip address", "status code", "headers date", "files", "apple ios", "urls url", "apple", "password", "domains", "tmobile metro", "hacktool", "ursnif", "malware", "core", "tsara brashears", "copy", "tracker", "highly targeted", "sides with", "nanocore", "ransomexx", "quasar", "maui ransomware", "download", "relic", "monitoring", "installer", "cobalt strike", "phishing", "critical", "emotet", "exploit", "united", "win32upatre jan", "entries", "ipv4", "open", "trojan", "body", "artro", "status", "hostname", "cpm fun", "meta name", "malware stealer trojan evader", "cyber warfare", "urls http", "apple phone", "unlocker", "shell code", "script", "awful", "june", "service", "privateloader", "amadey", "powershell", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs2013", "info compiler", "products id", "vs2013 upd4", "upd4", "header intel", "name md5", "getcursor getdc" ], "references": [ "http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable", "CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Worm:Win32/Mimail.9c74f1f3", "display_name": "Worm:Win32/Mimail.9c74f1f3", "target": "/malware/Worm:Win32/Mimail.9c74f1f3" }, { "id": "Win32.Virlock.Gen.1", "display_name": "Win32.Virlock.Gen.1", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1301, "FileHash-SHA1": 717, "FileHash-SHA256": 1520, "URL": 1249, "domain": 564, "hostname": 931, "email": 6, "CVE": 2, "FilePath": 1 }, "indicator_count": 6291, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bf9b680a31915bed66fe9b", "name": "Hacked Browser \u2022 DOS \u2022 Sinkholed", "description": "Ongoing attack against targeted individual.", "modified": "2024-03-05T13:02:33.380000", "created": "2024-02-04T14:12:56.167000", "tags": [ "whois record", "contacted", "ssl certificate", "referrer", "contacted urls", "historical ssl", "resolutions", "siblings domain", "threat roundup", "september", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "execution", "siblings", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "google safe", "creation date", "cpm network", "passive dns", "urls", "search", "expiration date", "name servers", "date", "showing", "unknown", "next", "http response", "final url", "ip address", "status code", "headers date", "files", "apple ios", "urls url", "apple", "password", "domains", "tmobile metro", "hacktool", "ursnif", "malware", "core", "tsara brashears", "copy", "tracker", "highly targeted", "sides with", "nanocore", "ransomexx", "quasar", "maui ransomware", "download", "relic", "monitoring", "installer", "cobalt strike", "phishing", "critical", "emotet", "exploit", "united", "win32upatre jan", "entries", "ipv4", "open", "trojan", "body", "artro", "status", "hostname", "cpm fun", "meta name", "malware stealer trojan evader", "cyber warfare", "urls http", "apple phone", "unlocker", "shell code", "script", "awful", "june", "service", "privateloader", "amadey", "powershell", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs2013", "info compiler", "products id", "vs2013 upd4", "upd4", "header intel", "name md5", "getcursor getdc" ], "references": [ "http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable", "CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection.", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Worm:Win32/Mimail.9c74f1f3", "display_name": "Worm:Win32/Mimail.9c74f1f3", "target": "/malware/Worm:Win32/Mimail.9c74f1f3" }, { "id": "Win32.Virlock.Gen.1", "display_name": "Win32.Virlock.Gen.1", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1301, "FileHash-SHA1": 717, "FileHash-SHA256": 1520, "URL": 1249, "domain": 564, "hostname": 931, "email": 6, "CVE": 2, "FilePath": 1 }, "indicator_count": 6291, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "adnetworkperformance.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "adnetworkperformance.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776707219.2477865 }