{ "type": "Domain", "indicator": "afect3d.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/afect3d.com", "alexa": "http://www.alexa.com/siteinfo/afect3d.com", "indicator": "afect3d.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3834516268, "indicator": "afect3d.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "68633fde7c1aa942569f774a", "name": "Feebs worm | Residential Rental Community Denver, Co", "description": "Feebs worms t is spread using email or P2P networks via HTML application file that installs the worm on infected attachment..\n\nFeebs IoC\u2019s\n[FileHash-MD5\n0cfc4ba2ee11d21f85220fd7ee2c6058]\n[FileHash-SHA1\n3d5e2dd53ed5a52bb5f39e4d21ecc46a1ff1659a]\n[FileHash-SHA256\nee3151ed4dc44ef0a9a5fefa5236177cedbc7d8e4d74f126e6428ae0b938e09b]\n Indicator Facts:\n- 6 malicious files communicating\n- Blocked by Quad9\n- IRCbot\n\u2022 worm.feebs.ae \u2022\n#dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #ping +\u2026", "modified": "2025-07-31T01:02:04.870000", "created": "2025-07-01T01:54:38.111000", "tags": [ "united", "name servers", "search", "date", "passive dns", "urls", "address", "creation date", "contact", "status", "showing", "unknown ns", "ip address", "aaaa", "local", "ipv4", "pulse pulses", "files", "hosting", "reverse dns", "location united", "america flag", "hostname", "redacted for", "win32", "heur", "backdoor", "win32dh", "indicator", "quad9", "destination", "port", "show", "unknown", "as12041", "irc pong", "irc ping", "entries", "malware", "copy", "virustotal", "write", "drweb", "domain related", "finding notes", "microsoft worm", "submit url", "analysis", "trojanspy", "virtool", "expiration date", "hostname add", "win32sality feb", "america asn", "dns resolutions", "otx telemetry" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 133, "FileHash-SHA1": 130, "FileHash-SHA256": 455, "URL": 43, "domain": 167, "hostname": 225, "email": 8 }, "indicator_count": 1161, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "263 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "http://45.159.189.105/bot/regex", "pirateproxy.cc", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://twitter.com/PORNO_SEXYBABES", "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Vtapi: scanter.comwww.twitter.comx.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "https://totallyspies.1000hentai.com/tag/clover-porn/", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "838114.parkingcrew.net", "cdn.pornsocket.com", "static-push-preprod.porndig.com", "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "www.redtube.comyouporn.com", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "qbot.zip", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "imp.fusioninstall.com", "qa.companycam.com", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "http://secure.indianpornpass.com/track/hotpornstuff", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "weconnect.com", "dropboxpayments.com", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "X Vercel Servers", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "youramateuporn.com", "192.185.223.216 | 192.168.56.1 [malware]", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "watchhers.net", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "xhamster.comyouporn.com", "cams4all.com", "jimgaffigan.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "www.anyxxxtube.net", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "yoursexy.porn | indianyouporn.com", "mwilliams.dev@gmail.com | piratepages.com", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://mylegalbid.com/malwarebytes", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "24-70mm.camera", "https://severeporn-com.pornproxy.page/", "https://sexgalaxy.net/tag/rodneymoore/", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "https://www.songculture.com/tsara-lynn-brashears-music", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "ww16.porn-community.porn25.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "ns2.abovedomains.com", "http://borpatoken.com/ borpatoken.com", "http://xred.mooo.com", "http://alive.overit.com/~schoolbu/badmood3.exe" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/comame", "Adware affiliate", "Trojan:win32/vflooder.a", "Azorult cnc", "W32.aidetectmalware", "Trojan:win32/pariham", "Xpire.info", "Searchmeup", "Virtool", "Malware", "Trojan:win32/trickler", "Possible", "#virtool:win32/obfuscator", "Mirai", "Trojan.vtflooder/vflooder", "Trojanspy", "Win.trojan.occamy" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "68633fde7c1aa942569f774a", "name": "Feebs worm | Residential Rental Community Denver, Co", "description": "Feebs worms t is spread using email or P2P networks via HTML application file that installs the worm on infected attachment..\n\nFeebs IoC\u2019s\n[FileHash-MD5\n0cfc4ba2ee11d21f85220fd7ee2c6058]\n[FileHash-SHA1\n3d5e2dd53ed5a52bb5f39e4d21ecc46a1ff1659a]\n[FileHash-SHA256\nee3151ed4dc44ef0a9a5fefa5236177cedbc7d8e4d74f126e6428ae0b938e09b]\n Indicator Facts:\n- 6 malicious files communicating\n- Blocked by Quad9\n- IRCbot\n\u2022 worm.feebs.ae \u2022\n#dga #running_webserver #feebs #trojan #spy #bot #ransom #virtool #irc #backfdoor #worm #dropper #banker #registrarabuse #droppedconnectionstoday #operation #data_selling #binary #infection #pointing #backdoor #domain_prefix #ping +\u2026", "modified": "2025-07-31T01:02:04.870000", "created": "2025-07-01T01:54:38.111000", "tags": [ "united", "name servers", "search", "date", "passive dns", "urls", "address", "creation date", "contact", "status", "showing", "unknown ns", "ip address", "aaaa", "local", "ipv4", "pulse pulses", "files", "hosting", "reverse dns", "location united", "america flag", "hostname", "redacted for", "win32", "heur", "backdoor", "win32dh", "indicator", "quad9", "destination", "port", "show", "unknown", "as12041", "irc pong", "irc ping", "entries", "malware", "copy", "virustotal", "write", "drweb", "domain related", "finding notes", "microsoft worm", "submit url", "analysis", "trojanspy", "virtool", "expiration date", "hostname add", "win32sality feb", "america asn", "dns resolutions", "otx telemetry" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 133, "FileHash-SHA1": 130, "FileHash-SHA256": 455, "URL": 43, "domain": 167, "hostname": 225, "email": 8 }, "indicator_count": 1161, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "263 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "afect3d.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "afect3d.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776647653.6389303 }