{ "type": "Domain", "indicator": "angularjs.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/angularjs.org", "alexa": "http://www.alexa.com/siteinfo/angularjs.org", "indicator": "angularjs.org", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #9341", "name": "Akamai Popular Domain" }, { "source": "majestic", "message": "Whitelisted domain angularjs.org", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain angularjs.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2682836965, "indicator": "angularjs.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "69bbd2d6d9d356c1f3e6dcc0", "name": "VirusTotal report\n for sample.apk", "description": "T1406 Obfuscated Files or Information confidence: medium\nDefense Evasion\nT1421 System Network Connections Discovery confidence: medium\nT1422 System Network Configuration Discovery confidence: medium\nT1430 Location Tracking confidence: medium\nT1418 Software Discovery confidence: medium\nT1426 System Information Discovery confidence: medium\nT1424 Process Discovery confidence: medium\nDiscovery\nT1430 Location Tracking confidence: medium\nCommand and Control\nT1573 Encrypted Channel confidence: low\nT1071 Application Layer Protocol\nhttps://www.virustotal.com/gui/file/0029a9b7bba96f77d8851e7f716879129ace86ff016263c2842a1767cca8c051/behavior", "modified": "2026-04-18T11:12:42.071000", "created": "2026-03-19T10:41:26.327000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 54, "domain": 2, "hostname": 24 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916d97edb28b2616ffac3ab", "name": "njRAT| BazarLoader| Darkside 2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "", "modified": "2025-11-14T07:41:19.912000", "created": "2025-11-14T07:25:50.524000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4037, "hostname": 2241, "URL": 2516, "FileHash-MD5": 1224, "FileHash-SHA1": 783, "FileHash-SHA256": 2796, "CVE": 10, "email": 25 }, "indicator_count": 13632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dbee57fc8b1739c2223376", "name": "Serious Privacy Violations \u2022 Groundup Monitoring a Household \u2022 IoT", "description": "Thank you for the tip. It\u2019s taken me 98 days to get to this one. Enlightening. \n\nI\u2019m going to reserve my comments. A lot of new stuff here. \n#Intrusive\n#helix #helix_foundry_connection #amazon #advesaries_in_the_middle", "modified": "2025-10-30T14:05:43.818000", "created": "2025-09-30T14:51:03.111000", "tags": [ "united", "trojandropper", "passive dns", "lowfi", "head meta", "moved title", "twitter", "moved", "a href", "present sep", "aaaa", "ireland", "ip address", "emails", "reverse dns", "malware", "unruy", "upatre", "snowjan", "zusy", "vb", "x.com", "downloader", "trojan", "agent", "pe32 executable", "intel", "ms windows", "reads", "medium", "write", "delete", "top source", "push", "germany unknown", "name servers", "head body", "urls", "files ip", "url analysis", "address", "asn as3320", "present jun", "present jul", "present may", "present oct", "present feb", "present nov", "url hostname", "server response", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "development att", "ssl certificate", "path", "sha256", "pattern match", "ffffff", "general", "iframe", "click", "strings", "leon", "dns requests", "domain address", "http", "files domain", "files related", "ireland unknown", "files", "dublin", "ireland asn", "as16509", "script urls", "dubai real", "meta", "encrypt", "austria unknown", "austria asn", "asnone dns", "resolutions", "handle", "rdap database", "iana registrar", "helix", "foundry", "iot", "apple", "itunes", "amazon", "unknown ns", "found", "content type", "gmt server", "x xss", "certificate", "domain add", "error", "code", "date", "entries", "next associated", "body html", "title", "present aug", "servers", "status", "for privacy", "redacted for", "spawns", "ck techniques", "url add", "pulse pulses", "related nids", "files location", "flag united", "showing", "media", "cname", "invalid url", "creation date", "body", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "mitre att", "show technique", "hybrid", "local" ], "references": [ "families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh", "t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de", "www.n-helix.com - Foundry remnant", "itunes.apple.com \u2022 api.amazon.com", "https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net", "https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano", "http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Win.Malware.Snojan", "display_name": "Win.Malware.Snojan", "target": null }, { "id": "Win.Packed", "display_name": "Win.Packed", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "ALF:Trojan:Win32/Agent.WTK!MTB", "display_name": "ALF:Trojan:Win32/Agent.WTK!MTB", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3399, "domain": 790, "FileHash-MD5": 174, "FileHash-SHA1": 171, "FileHash-SHA256": 3349, "hostname": 1325, "email": 10, "SSLCertFingerprint": 9 }, "indicator_count": 9227, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d95bd10bfcc8c3dd66a44d", "name": "Qbot ", "description": "", "modified": "2024-09-05T09:51:10.113000", "created": "2024-09-05T07:20:49.138000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4091, "hostname": 2422, "URL": 3167, "FileHash-MD5": 1424, "FileHash-SHA1": 983, "FileHash-SHA256": 3174, "CVE": 10, "email": 25 }, "indicator_count": 15296, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "713 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654971c396ca4306a6534b12", "name": "njRAT| BazarLoader| Daekside2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "CNC, botnetwork, malware attacks, malvertizing, remote attacks, decryption, device stalking, ' has own property call command', illegal service interference, teen and adult content, cyber stalking, password cracking. Intimidation, harassment , threatening, libel , cybercrime hacking, defacement", "modified": "2023-12-06T21:03:06.189000", "created": "2023-11-06T23:07:46.880000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 140, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4018, "hostname": 2152, "URL": 2105, "FileHash-MD5": 1223, "FileHash-SHA1": 783, "FileHash-SHA256": 2789, "CVE": 9, "email": 25 }, "indicator_count": 13104, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709632333f37e8de4185e9", "name": "whitelisted angular.js", "description": "", "modified": "2023-12-06T15:41:38.498000", "created": "2023-12-06T15:41:38.498000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 245, "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 424, "hostname": 466, "URL": 1805 }, "indicator_count": 3193, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b72abe90961af1737c9", "name": "reCAPTCHA", "description": "", "modified": "2023-12-06T14:55:46.172000", "created": "2023-12-06T14:55:46.172000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 362, "domain": 330, "URL": 1790, "hostname": 586, "email": 1 }, "indicator_count": 3069, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657081be03964e671c853055", "name": "results.enr.clarityelections.com:TX:Comal:%22 ~ 03.04.2022", "description": "", "modified": "2023-12-06T14:14:21.542000", "created": "2023-12-06T14:14:21.542000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 143, "hostname": 45, "URL": 96, "domain": 13, "CIDR": 1, "FileHash-MD5": 8 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c8e04d8e7541291b89f4a1", "name": "whitelisted angular.js", "description": "", "modified": "2023-02-18T15:00:23.103000", "created": "2023-01-19T06:16:45.770000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "function", "null", "regexp", "date", "controller", "month", "hours", "fullyear", "this", "error", "path", "window", "cookie", "span", "form", "android", "hybrid", "close", "click", "ransomware", "june", "general", "infinity", "strings", "suspicious" ], "references": [ "https://www.hybrid-analysis.com/sample/91fb6887a7d7b8f298f3ea09abd8284404916b3623679b791a71087a12d65523/5936cfa1aac2ed5e205fb505", "bienvenidosnewyork.com/app.php" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1843, "hostname": 471, "domain": 246, "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 444, "CVE": 1 }, "indicator_count": 3257, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c8e04f8962fa3ac0c7eb77", "name": "whitelisted angular.js", "description": "", "modified": "2023-01-19T06:16:47.672000", "created": "2023-01-19T06:16:47.672000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "function", "null", "regexp", "date", "controller", "month", "hours", "fullyear", "this", "error", "path", "window", "cookie", "span", "form", "android", "hybrid", "close", "click", "ransomware", "june", "general", "infinity", "strings", "suspicious" ], "references": [ "https://www.hybrid-analysis.com/sample/91fb6887a7d7b8f298f3ea09abd8284404916b3623679b791a71087a12d65523/5936cfa1aac2ed5e205fb505", "bienvenidosnewyork.com/app.php" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 408, "hostname": 48, "domain": 59, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 518, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1186 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628ce74526894454664e1bab", "name": "cloudron.io", "description": "function ar(aw,av,au,at) is a new version of the Matomo tracker, which allows users to track where a tracker has been located, and when it is activated.", "modified": "2022-06-23T00:03:28.624000", "created": "2022-05-24T14:10:13.562000", "tags": [ "span", "type", "href", "tbody", "tfoot", "thead", "input", "helvetica neue", "helvetica", "arial", "twitter", "date", "docviewtop", "shadow", "rocketchat", "sogo", "gitlab", "wordpress", "matomo", "kanboard", "taiga", "ninja", "slow", "scroll", "dom exception", "google", "regexp", "mmm d", "mmmm d", "null", "this", "number", "destroy", "controller", "array", "error", "android", "false", "function", "index", "slickcenter", "slick", "object", "translate", "translate3d", "jquery", "typeof c", "copyright", "bootstrap", "javascript", "azaz", "popover", "typeof f", "typeof b", "width", "pseudo", "child", "sufeffxa0", "class", "accept", "string", "please", "blob", "post", "link", "license" ], "references": [ "https://analytics.cloudron.io/piwik.js", "https://www.cloudron.io/3rdparty/jquery-1.11.0.js", "https://www.cloudron.io/3rdparty/bootstrap.min.js", "https://www.cloudron.io/3rdparty/slick.js", "https://www.cloudron.io/3rdparty/angular.min.js", "https://www.cloudron.io/3rdparty/angular-loader.min.js", "https://www.cloudron.io/3rdparty/angular-route.min.js", "https://www.cloudron.io/3rdparty/angular-base64.min.js", "https://www.cloudron.io/index.js", "https://www.cloudron.io/3rdparty/bootstrap.min.css" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 541, "URL": 1300, "domain": 180, "FileHash-SHA256": 72, "FileHash-SHA1": 1 }, "indicator_count": 2094, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1397 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261fd6a8d527fa569351e63", "name": "Malware hosting - unrealservers.net & heymman.com", "description": "function S.name, a.com, has been added to the end of a page to make sure it does not end up in an unauthorised place. and it will not get any more.", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-22T00:57:14.125000", "tags": [ "e2f0fc", "fd7a07", "f0482b", "gradienttype0", "a5bcce", "helvetica", "negative", "arial", "bcd3e4", "style sheet", "nonce", "script", "please do", "not copy", "and paste", "this code", "cgrecaptchacfg", "ngrecaptcha", "recaptchaapi", "render", "onload", "select", "error", "strong", "uint8array", "string", "null", "number", "function", "input", "array", "iframe", "date", "android", "verify", "stop", "this", "span", "enterprise", "click", "widget", "window", "form", "generator", "reload", "void", "dd2d2f", "e8e8e8", "d8d8d8", "fcfcfc", "e5e5e5", "lucida", "unicode", "lucida grande", "f9f9f9", "footer", "unavailable", "ngsanitize", "order now", "invalid", "snippet", "month", "hours", "fullyear", "regexp", "eeee", "mmmm d", "mena", "christ" ], "references": [ "xfe-URL-heymman.com-stix2-2.1-export.json", "https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js", "https://ajax.googleapis.com/ajax/libs/angularjs/1.4.2/angular-sanitize.js", "https://www.heymman.com/script.js", "https://www.heymman.com/style/main.css", "https://www.gstatic.com/recaptcha/releases/QENb_qRrX0-mQMyENQjD6Fuj/recaptcha__en.js", "https://www.google.com/recaptcha/api.js", "https://unrealservers.net/master.css", "xfe-URL-Ndevix.com-stix2-2.1-export.json", "xfe-URL-Misk.com-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 427, "URL": 1183, "FileHash-SHA256": 162, "domain": 441, "email": 4 }, "indicator_count": 2217, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6252df03791ceb2df29742fe", "name": "reCAPTCHA", "description": "var a,r, i,o, r, c+(((s>>>16)*c&65535)<<16, as well as the Object, to be used as a decoder.", "modified": "2022-05-10T00:02:48.350000", "created": "2022-04-10T13:43:30.961000", "tags": [ "arial", "roboto", "helvetica neue", "typesubmit", "webkitkeyframes", "typeerror", "typeof t", "string", "object", "typeof e", "symbol", "typeof symbol", "typeof window", "typeof self", "typeof r", "date", "body", "html", "typeof n", "error", "version", "shown", "click", "dataspy", "trident", "window", "lpmlightbox", "messaging1", "chat0", "href", "tabindex", "copyright", "closure library", "info", "smsclientapi", "null", "typeof", "regexp", "debug", "chat", "scraper", "cookie", "stop", "iframe", "explorer", "small", "seppuku", "jsloader", "token", "viewed", "kbcontentclick", "blank", "post", "document", "typeof storage", "unknownerror", "element", "overquerylimit", "requestdenied", "zeroresults", "notfound", "node", "edge", "android", "unknown", "false", "june", "generator", "marker", "hybrid", "month", "azaz09", "hours", "function", "number", "fullyear", "controller", "christ", "sufeffxa0", "class", "attr", "pseudo", "child", "js foundation", "typeof module", "directclick", "x22loansx22", "x221x22", "9o7nxzt", "x22applyx22", "x3dw", "x3dnew", "x22pageloadx22", "x22scriptx22", "x22uetqx22", "viewcontent", "addtocart", "purchase", "array", "customevent", "09af", "ver0", "tag0", "extdata0", "ua ch", "invalid", "license", "calltrkswap", "typeof s", "xmlhttprequest", "65535", "awindow", "cwm fjordbank", "activexobject", "tfunction", "sfunction", "yfunction", "googlendt" ], "references": [ "xfe-URL-ihagoogle.com-stix2-2.1-export.json", "http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js", "http://sedoparking.com/frmpark/ihagoogle.com/sedopark/park.js", "http://instantfwding.com/px.js?ch=1", "http://pxlgnpgecom-a.akamaihd.net/javascripts/browserfp.min.js?templateId=11&customerId=7CUHNT0E1", "https://pxlgnpgecom-a.akamaihd.net/javascripts/bfp_ssn.js?templateId=11", "https://s.thebrighttag.com/tag?site=9O7NXzt&H=-5nu6gjg&referrer=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%253A%2520Zeal%2520Credit%2520Union%2520-%2520Mortgages%26utm_term%3Dhouse%2520mortgage%26utm_content%3DMortgage%2520General&docReferrer=http%3A%2F%2Finstantfwding.com%2F&mode=v2&cf=7500150%2C7500152&btpdb.9O7NXzt.dGZjLjc1MDAxNTE=UkVRVUVTVFMuMA&btpdb.9O7NXzt.dGZjLjc1MTUyNDU=U0VTU0lPTg&btpdb.9O7N", "https://cdn.callrail.com/companies/448598242/66d5efd6cbf06378ea1f/12/swap.js", "https://bat.bing.com/bat.js", "https://tag.perfectaudience.com/serve/5f59021d1911b61034000d8d.js", "https://s.thebrighttag.com/tag?site=9O7NXzt&referrer=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%253A%2520Zeal%2520Credit%2520Union%2520-%2520Mortgages%26utm_term%3Dhouse%2520mortgage%26utm_content%3DMortgage%2520General&docReferrer=http%3A%2F%2Finstantfwding.com%2F&H=-5nu6gjg", "https://code.jquery.com/jquery-3.4.1.min.js?ver=3.4.1", "https://integration.silvercloudinc.com/js/bundle/vendor.js", "https://maps.googleapis.com/maps/api/js?key=AIzaSyAMbtdeFB5s623T4LwRldWj_Vdy2t4wLkw&libraries=places", "https://lptag.liveperson.net/tag/tag.js?site=22027291", "https://integration.silvercloudinc.com/js/bundle/8.engageware-bundle.js", "https://lptag.liveperson.net/lptag/api/account/22027291/configuration/applications/taglets/.jsonp?v=2.0&df=2&b=2", "https://pixel-geo.prfct.co/tagjs?a_id=131352&source=js_tag", "https://bat.bing.com/p/action/56358236.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/388043112/?random=1649597062436&cv=9&fst=1649597062436&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=2&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa3u0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%3A%2520Zeal%2520Credit%2520", "https://lpcdn.lpsnmedia.net/le_re/3.50.0.1-release_5103/jsv2/overlay.js?_v=3.50.0.1-release_5103", "https://www.zealcu.org/app/uploads/cache/js/aggregated_single_eb9d05879e4cb943b965deb3cccf05ee.js", "https://integration.silvercloudinc.com/js/silvercloudjs/silvercloud.js", "https://js.callrail.com/group/0/66d5efd6cbf06378ea1f/02836fdf-c99c-4a90-b31b-373093db654e/poll.js?t=1649597153888&ids%5B%5D=448598242", "https://js.callrail.com/group/0/66d5efd6cbf06378ea1f/02836fdf-c99c-4a90-b31b-373093db654e/poll.js?t=1649598014683&ids%5B%5D=448598242", "https://www.zealcu.org/app/uploads/cache/css/aggregated_cd3154a65f0e94fa98c08398cba54caa.css", "https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfjFjMaAAAAACpmnf2RfTg2U2m4Cdnku25XccJW&co=aHR0cHM6Ly93d3cuemVhbGN1Lm9yZzo0NDM.&hl=en&v=Y-cOIEkAqcfDdup_qnnmkxIC&theme=light&size=normal&cb=j4msjl4zxy97", "https://va.idp.liveperson.net/postmessage/postmessage.min.html?bust=1649597064004&loc=https%3A%2F%2Fwww.zealcu.org", "https://bid.g.doubleclick.net/xbbe/pixel?d=KAE" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1790, "hostname": 586, "FileHash-SHA256": 362, "domain": 330, "email": 1 }, "indicator_count": 3069, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1441 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623243bdde8eaff87c503010", "name": "michigan.gov.sos.0,1607,7-127-1633_8716_8726_47669-175878- -,00.html%22", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T20:08:29.416000", "tags": [ "WannaCry", "Michigan.gov" ], "references": [ "michigan.gov.sos.0,1607,7-127-1633_8716_8726_47669-175878- -,00.html%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.WannaCry-9856297-0", "display_name": "Win.Ransomware.WannaCry-9856297-0", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 190, "URL": 472, "domain": 49, "FileHash-SHA256": 377, "CIDR": 1, "FileHash-MD5": 4 }, "indicator_count": 1093, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622f4f5bd90a80ace9ed5ac7", "name": "results.enr.clarityelections.com:TX:Comal:%22 ~ 03.04.2022", "description": "", "modified": "2022-04-13T00:01:48.292000", "created": "2022-03-14T14:21:15.662000", "tags": [], "references": [ "results.enr.clarityelections.com:TX:Comal:%22.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45, "URL": 96, "domain": 13, "FileHash-SHA256": 143, "CIDR": 1, "FileHash-MD5": 8 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "boostmobile.com", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://s.thebrighttag.com/tag?site=9O7NXzt&referrer=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%253A%2520Zeal%2520Credit%2520Union%2520-%2520Mortgages%26utm_term%3Dhouse%2520mortgage%26utm_content%3DMortgage%2520General&docReferrer=http%3A%2F%2Finstantfwding.com%2F&H=-5nu6gjg", "https://cdn.callrail.com/companies/448598242/66d5efd6cbf06378ea1f/12/swap.js", "https://apple.pantion.top/", "https://integration.silvercloudinc.com/js/bundle/vendor.js", "https://www.cloudron.io/3rdparty/angular.min.js", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "https://integration.silvercloudinc.com/js/silvercloudjs/silvercloud.js", "https://www.cloudron.io/3rdparty/slick.js", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "https://integration.silvercloudinc.com/js/bundle/8.engageware-bundle.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/388043112/?random=1649597062436&cv=9&fst=1649597062436&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=2&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa3u0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%3A%2520Zeal%2520Credit%2520", "https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfjFjMaAAAAACpmnf2RfTg2U2m4Cdnku25XccJW&co=aHR0cHM6Ly93d3cuemVhbGN1Lm9yZzo0NDM.&hl=en&v=Y-cOIEkAqcfDdup_qnnmkxIC&theme=light&size=normal&cb=j4msjl4zxy97", "https://pixel-geo.prfct.co/tagjs?a_id=131352&source=js_tag", "CVE-2023-4966", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A", "https://maps.googleapis.com/maps/api/js?key=AIzaSyAMbtdeFB5s623T4LwRldWj_Vdy2t4wLkw&libraries=places", "https://lptag.liveperson.net/lptag/api/account/22027291/configuration/applications/taglets/.jsonp?v=2.0&df=2&b=2", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com", "https://www.heymman.com/script.js", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "user-apple.info", "https://analytics.cloudron.io/piwik.js", "https://js.callrail.com/group/0/66d5efd6cbf06378ea1f/02836fdf-c99c-4a90-b31b-373093db654e/poll.js?t=1649598014683&ids%5B%5D=448598242", "init-p01st.push.apple.com", "https://b.link/infringement", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "https://www.hybrid-analysis.com/sample/91fb6887a7d7b8f298f3ea09abd8284404916b3623679b791a71087a12d65523/5936cfa1aac2ed5e205fb505", "xfe-URL-Ndevix.com-stix2-2.1-export.json", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "https://js.callrail.com/group/0/66d5efd6cbf06378ea1f/02836fdf-c99c-4a90-b31b-373093db654e/poll.js?t=1649597153888&ids%5B%5D=448598242", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://tag.perfectaudience.com/serve/5f59021d1911b61034000d8d.js", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "www.metrobyt-mobile.com", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "http://watchhers.net/index.php", "https://www.cloudron.io/3rdparty/angular-loader.min.js", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js", "http://pxlgnpgecom-a.akamaihd.net/javascripts/browserfp.min.js?templateId=11&customerId=7CUHNT0E1", "http://sedoparking.com/frmpark/ihagoogle.com/sedopark/park.js", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://www.heymman.com/style/main.css", "appleid-comloginaccount.info", "bienvenidosnewyork.com/app.php", "https://bat.bing.com/p/action/56358236.js", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "https://lpcdn.lpsnmedia.net/le_re/3.50.0.1-release_5103/jsv2/overlay.js?_v=3.50.0.1-release_5103", "Malware Host: HallRender.com", "https://bat.bing.com/bat.js", "https://s.thebrighttag.com/tag?site=9O7NXzt&H=-5nu6gjg&referrer=https%3A%2F%2Fwww.zealcu.org%2Fhome-loans%2F%3Fmsclkid%3D3ef1349815a11e52b0b256cacc0bc952%26utm_source%3Dbing%26utm_medium%3Dcpc%26utm_campaign%3DSearch%253A%2520Zeal%2520Credit%2520Union%2520-%2520Mortgages%26utm_term%3Dhouse%2520mortgage%26utm_content%3DMortgage%2520General&docReferrer=http%3A%2F%2Finstantfwding.com%2F&mode=v2&cf=7500150%2C7500152&btpdb.9O7NXzt.dGZjLjc1MDAxNTE=UkVRVUVTVFMuMA&btpdb.9O7NXzt.dGZjLjc1MTUyNDU=U0VTU0lPTg&btpdb.9O7N", "https://code.jquery.com/jquery-3.4.1.min.js?ver=3.4.1", "https://www.zealcu.org/app/uploads/cache/js/aggregated_single_eb9d05879e4cb943b965deb3cccf05ee.js", "safebae.org", "nr-data.net", "https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net", "www.n-helix.com - Foundry remnant", "https://www.google.com/recaptcha/api.js", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano", "michigan.gov.sos.0,1607,7-127-1633_8716_8726_47669-175878- -,00.html%22,.pdf", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh", "t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "http://instantfwding.com/px.js?ch=1", "results.enr.clarityelections.com:TX:Comal:%22.pdf", "https://va.idp.liveperson.net/postmessage/postmessage.min.html?bust=1649597064004&loc=https%3A%2F%2Fwww.zealcu.org", "https://www.cloudron.io/3rdparty/bootstrap.min.css", "https://pxlgnpgecom-a.akamaihd.net/javascripts/bfp_ssn.js?templateId=11", "https://www.cloudron.io/3rdparty/angular-base64.min.js", "xfe-URL-heymman.com-stix2-2.1-export.json", "xfe-URL-ihagoogle.com-stix2-2.1-export.json", "https://lptag.liveperson.net/tag/tag.js?site=22027291", "xfe-URL-Misk.com-stix2-2.1-export.json", "https://matrix.pornhub.dev", "https://www.cloudron.io/3rdparty/angular-route.min.js", "https://unrealservers.net/master.css", "https://www.cloudron.io/3rdparty/jquery-1.11.0.js", "web2.westlaw.com (redirects to thbrzzrstr.me)", "Poemhunter.com + rally point.com = pornhub.dev", "https://www.cloudron.io/index.js", "https://www.gstatic.com/recaptcha/releases/QENb_qRrX0-mQMyENQjD6Fuj/recaptcha__en.js", "itunes.apple.com \u2022 api.amazon.com", "https://bid.g.doubleclick.net/xbbe/pixel?d=KAE", "newrelic.se", "https://www.zealcu.org/app/uploads/cache/css/aggregated_cd3154a65f0e94fa98c08398cba54caa.css", "http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js", "my.mintmobile.com", "https://ajax.googleapis.com/ajax/libs/angularjs/1.4.2/angular-sanitize.js", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.cloudron.io/3rdparty/bootstrap.min.js" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Alf:trojan:win32/agent.wtk!mtb", "#lowfi:hstr:msil/possibledownloader.s01", "Trojanspy", "Win.packed", "Beach research", "Trojan:win32/qqpass", "Win.ransomware.wannacry-9856297-0", "Unruy", "Win.malware.snojan", "Radar ineractive", "Tsara brashears", "Win.malware.zusy", "Webtoolbar", "Upatre", "Mitre attack", "Et", "Malware", "Maltiverse", "Trojandropper:win32/vb.il" ], "industries": [ "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "69bbd2d6d9d356c1f3e6dcc0", "name": "VirusTotal report\n for sample.apk", "description": "T1406 Obfuscated Files or Information confidence: medium\nDefense Evasion\nT1421 System Network Connections Discovery confidence: medium\nT1422 System Network Configuration Discovery confidence: medium\nT1430 Location Tracking confidence: medium\nT1418 Software Discovery confidence: medium\nT1426 System Information Discovery confidence: medium\nT1424 Process Discovery confidence: medium\nDiscovery\nT1430 Location Tracking confidence: medium\nCommand and Control\nT1573 Encrypted Channel confidence: low\nT1071 Application Layer Protocol\nhttps://www.virustotal.com/gui/file/0029a9b7bba96f77d8851e7f716879129ace86ff016263c2842a1767cca8c051/behavior", "modified": "2026-04-18T11:12:42.071000", "created": "2026-03-19T10:41:26.327000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 54, "domain": 2, "hostname": 24 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916d97edb28b2616ffac3ab", "name": "njRAT| BazarLoader| Darkside 2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "", "modified": "2025-11-14T07:41:19.912000", "created": "2025-11-14T07:25:50.524000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4037, "hostname": 2241, "URL": 2516, "FileHash-MD5": 1224, "FileHash-SHA1": 783, "FileHash-SHA256": 2796, "CVE": 10, "email": 25 }, "indicator_count": 13632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dbee57fc8b1739c2223376", "name": "Serious Privacy Violations \u2022 Groundup Monitoring a Household \u2022 IoT", "description": "Thank you for the tip. It\u2019s taken me 98 days to get to this one. Enlightening. \n\nI\u2019m going to reserve my comments. A lot of new stuff here. \n#Intrusive\n#helix #helix_foundry_connection #amazon #advesaries_in_the_middle", "modified": "2025-10-30T14:05:43.818000", "created": "2025-09-30T14:51:03.111000", "tags": [ "united", "trojandropper", "passive dns", "lowfi", "head meta", "moved title", "twitter", "moved", "a href", "present sep", "aaaa", "ireland", "ip address", "emails", "reverse dns", "malware", "unruy", "upatre", "snowjan", "zusy", "vb", "x.com", "downloader", "trojan", "agent", "pe32 executable", "intel", "ms windows", "reads", "medium", "write", "delete", "top source", "push", "germany unknown", "name servers", "head body", "urls", "files ip", "url analysis", "address", "asn as3320", "present jun", "present jul", "present may", "present oct", "present feb", "present nov", "url hostname", "server response", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "development att", "ssl certificate", "path", "sha256", "pattern match", "ffffff", "general", "iframe", "click", "strings", "leon", "dns requests", "domain address", "http", "files domain", "files related", "ireland unknown", "files", "dublin", "ireland asn", "as16509", "script urls", "dubai real", "meta", "encrypt", "austria unknown", "austria asn", "asnone dns", "resolutions", "handle", "rdap database", "iana registrar", "helix", "foundry", "iot", "apple", "itunes", "amazon", "unknown ns", "found", "content type", "gmt server", "x xss", "certificate", "domain add", "error", "code", "date", "entries", "next associated", "body html", "title", "present aug", "servers", "status", "for privacy", "redacted for", "spawns", "ck techniques", "url add", "pulse pulses", "related nids", "files location", "flag united", "showing", "media", "cname", "invalid url", "creation date", "body", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "mitre att", "show technique", "hybrid", "local" ], "references": [ "families.google/intl/pt-PT_ALL/familylink \u2022 cameyo.google \u2022 googlecampaigns.com \u2022. chrome.com.bh", "t-iot.de \u2022 dockerregistry.xlab.t-iot.de\t \u2022 netbox.nic.xlab.t-iot.de", "www.n-helix.com - Foundry remnant", "itunes.apple.com \u2022 api.amazon.com", "https://webclientshellserver-prod-trafficmanager-net.s-0005.dual-s-msedge.net", "https://www.matchsticksandgasoline.com/2018/11/2/18051280/the-morning-after-colorado-if-you-want-to-be-a-goalie-skip-these-highlights-mark-giordano", "http://s.vebnox.com \u2022 vebnox.com \u2022 http://stulancer.vebnox.com \u2022 vebnox.com \u2022 http://vedonate.vebnox.com \u2022 vebnox.com \u2022 https://home.vebnox.com vebnox.com \u2022 https://vedonate.vebnox.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Win.Malware.Snojan", "display_name": "Win.Malware.Snojan", "target": null }, { "id": "Win.Packed", "display_name": "Win.Packed", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "ALF:Trojan:Win32/Agent.WTK!MTB", "display_name": "ALF:Trojan:Win32/Agent.WTK!MTB", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3399, "domain": 790, "FileHash-MD5": 174, "FileHash-SHA1": 171, "FileHash-SHA256": 3349, "hostname": 1325, "email": 10, "SSLCertFingerprint": 9 }, "indicator_count": 9227, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d95bd10bfcc8c3dd66a44d", "name": "Qbot ", "description": "", "modified": "2024-09-05T09:51:10.113000", "created": "2024-09-05T07:20:49.138000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4091, "hostname": 2422, "URL": 3167, "FileHash-MD5": 1424, "FileHash-SHA1": 983, "FileHash-SHA256": 3174, "CVE": 10, "email": 25 }, "indicator_count": 15296, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "713 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654971c396ca4306a6534b12", "name": "njRAT| BazarLoader| Daekside2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "CNC, botnetwork, malware attacks, malvertizing, remote attacks, decryption, device stalking, ' has own property call command', illegal service interference, teen and adult content, cyber stalking, password cracking. Intimidation, harassment , threatening, libel , cybercrime hacking, defacement", "modified": "2023-12-06T21:03:06.189000", "created": "2023-11-06T23:07:46.880000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 140, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4018, "hostname": 2152, "URL": 2105, "FileHash-MD5": 1223, "FileHash-SHA1": 783, "FileHash-SHA256": 2789, "CVE": 9, "email": 25 }, "indicator_count": 13104, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709632333f37e8de4185e9", "name": "whitelisted angular.js", "description": "", "modified": "2023-12-06T15:41:38.498000", "created": "2023-12-06T15:41:38.498000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 245, "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 424, "hostname": 466, "URL": 1805 }, "indicator_count": 3193, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b72abe90961af1737c9", "name": "reCAPTCHA", "description": "", "modified": "2023-12-06T14:55:46.172000", "created": "2023-12-06T14:55:46.172000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 362, "domain": 330, "URL": 1790, "hostname": 586, "email": 1 }, "indicator_count": 3069, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657081be03964e671c853055", "name": "results.enr.clarityelections.com:TX:Comal:%22 ~ 03.04.2022", "description": "", "modified": "2023-12-06T14:14:21.542000", "created": "2023-12-06T14:14:21.542000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 143, "hostname": 45, "URL": 96, "domain": 13, "CIDR": 1, "FileHash-MD5": 8 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "angularjs.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "angularjs.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776662332.089083 }