{ "type": "Domain", "indicator": "appield.support", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/appield.support", "alexa": "http://www.alexa.com/siteinfo/appield.support", "indicator": "appield.support", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1760451, "indicator": "appield.support", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "688b0fbceab364a2b84b1124", "name": "Busybox MIORI Hackers - ongoing Aurora , Medical Campus -Mirai [by scoreblue -Team 8]", "description": "", "modified": "2025-07-31T06:39:56.204000", "created": "2025-07-31T06:39:56.204000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "66fb3c4e8a2593134641f3c0", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "262 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66fb3c4e8a2593134641f3c0", "name": "busybox MIORI Hackers - attack Aurora, Medical Campus -Mirai", "description": "*Tipped-Patient reports computers with fully locked screens log in every time she enters a room at UC Health Anshutz Campus. Unauthorized Login: http://ITSupport.UCHealth.org. Graphs deleted from Virus Total\u00bbLogin ID: 168.200.45.168 [bound]. I've tried to post pulse multiple times. IP's were contacted. Brute force attempts on my device. Anyway it's Tulach. There is a 'pro- ale' and other 'monitoring, silencing, dangerous groups' silencing crime victims, journalists, dissents, potential whistle blowers. One victim attacked physically losing health battle. Doctors unwilling to treat.Auto populated\u00bb The full text of the Mirai-TO malware, which was launched on Friday, has now been published on the website of www.forensickb.co.uk..com. hmmm...there was a counter attack.", "modified": "2024-10-30T22:04:06.705000", "created": "2024-10-01T00:03:26.199000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663b4a3d4df0c7f120a8c60c", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE [02/27/2024]", "description": "", "modified": "2024-05-08T09:47:41.535000", "created": "2024-05-08T09:47:41.535000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65de914a22e80e90ac329dce", "export_count": 1176, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "711 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3040e853a998bbd2cf", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:24.088000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3131bb8503e087d749", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:25.808000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d89cda3f0dbf62f499d", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:25.169000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d8e925459e97ca124c9", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:30.672000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65da19c17ee182a7fb5122a0", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T16:30:57.575000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65d97d8e925459e97ca124c9", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dc53a7d5ebf2b12d2e4bf1", "name": "test", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-26T09:02:31.405000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65da19c17ee182a7fb5122a0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "drissm69", "id": "272382", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65de914a22e80e90ac329dce", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-28T01:50:02.478000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65d97d89cda3f0dbf62f499d", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c5e50dda752af9eab50933", "name": "Side 3 Studios Pegasus Attack Denver, Co \u2022 SkyNet BotNetwork", "description": "Pegasus abuse by an alleged legal team with the malware hosting DGA domain https://hallrender.com. Related to an ongoing attack by a M.Brian Sabey who has fixated on a non criminal target. It's frightening to see the carelessness of the Cellebrite tool at work. \nAccording to all written accounts Side 3 provides services to Grammy award winning, nominated and aspiring artists. If you're heard of them , they've recorded there. There is evidence of music file transfers possibly, illegally sold to well known artist. This may have been done without knowledge of studio representatives. More likely by a hacker who boldly informed.", "modified": "2024-03-10T08:03:07.690000", "created": "2024-02-09T08:40:45.976000", "tags": [ "malware", "pegasus", "cellbrite", "targets sa", "survivor", "referrer", "contacted urls", "contacted", "whois record", "hr rtd", "execution", "ssl certificate", "communicating", "skynet", "malicious", "csc corporate", "domains", "code", "t services", "date", "saint louis", "server", "registrar abuse", "whois lookups", "tech email", "threat roundup", "july", "march", "june", "files", "august", "phishing", "service", "amadey", "blacknet rat", "roundup", "magecart", "powershell", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "gmt vary", "gmt connection", "link", "studio", "side", "studios", "downtown denver", "colorado", "studios og", "html info", "title denver", "studios meta", "tags og", "hallrender", "mark brian sabey", "tulach", "passive dns", "urls", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "domain", "files ip", "united", "as36646 oath", "unknown", "body doctype", "yahoo title", "x ua", "ieedge chrome1", "possible", "as19137 epsilon", "ipv4", "pulse pulses", "body", "headers nel", "contentencoding", "connection", "access control", "search", "address", "domain robot", "record value", "next", "parking crew", "tracking", "tsara brashears", "targeting", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "as6185 apple", "creation date", "trojan", "virtool", "worm", "servers", "expiration date", "moved", "certificate", "showing", "entries" ], "references": [ "adsl-074-168-130-217.sip.pns.bellsouth.net", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "nr-data.net [Apple Private Data Collection]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]" ], "public": 1, "adversary": "NSO GROUP", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3263, "FileHash-MD5": 133, "FileHash-SHA1": 125, "FileHash-SHA256": 2596, "domain": 1168, "hostname": 1877, "CVE": 2, "email": 6 }, "indicator_count": 9170, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "ns2.abovedomains.com", "jimgaffigan.com", "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "images.ctfassets.net [data collection of citizen]", "https://totallyspies.1000hentai.com/tag/clover-porn/", "weconnect.com", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "uversecentral3.att.com [decode cookie \u2022 unlock]", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "http://xred.mooo.com", "http://secure.indianpornpass.com/track/hotpornstuff", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "192.168.0.25 [Network Router Admin Login to wireless routers]", "Vtapi: scanter.comwww.twitter.comx.com", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "qa.companycam.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "24-70mm.camera", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "savethemalesdenver.com | brasville.com.br?", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "192.185.223.216 | 192.168.56.1 [malware]", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "campaign-manager.sharecare.com", "https://www.songculture.com/tsara-lynn-brashears-music", "Yara Detections: is__elf", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Title The page title. Chieti Meteo - Webcam Abruzzo", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "http://45.159.189.105/bot/regex", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "http://alive.overit.com/~schoolbu/badmood3.exe", "114.114.114.114 - Tulach Malware", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "https://sexgalaxy.net/tag/rodneymoore/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww16.porn-community.porn25.com", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "xhamster.comyouporn.com", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "imp.fusioninstall.com", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "youramateuporn.com", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "X Vercel Servers", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "Cobalt Strike | 3.12.49.0 | Amazon 02", "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "dropboxpayments.com", "838114.parkingcrew.net", "https://twitter.com/PORNO_SEXYBABES", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "cdn.pornsocket.com", "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "cams4all.com", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "adsl-074-168-130-217.sip.pns.bellsouth.net", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "static-push-preprod.porndig.com", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]", "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "https://mylegalbid.com/malwarebytes", "mwilliams.dev@gmail.com | piratepages.com", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com", "watchhers.net", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "pirateproxy.cc", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "ELF:Mirai-TO\\ [Trj] tulach.cc", "qbot.zip", "www.anyxxxtube.net", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "https://severeporn-com.pornproxy.page/", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000", "http://borpatoken.com/ borpatoken.com", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "yoursexy.porn | indianyouporn.com", "nr-data.net [Apple Private Data Collection]", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "www.redtube.comyouporn.com", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO GROUP", "busybox MIORI Hackers" ], "malware_families": [ "W32.aidetectmalware", "#virtool:win32/obfuscator", "Trojan.vtflooder/vflooder", "Hallrender", "Backdoor:linux/mirai.b", "Backdoor:win32/bladabindi", "Artro", "Trojan:win32/trickler", "Trojanspy", "Trojan:win32/vflooder.a", "Ransom:win32/gandcrab.ae", "Win32:ransomx-gen\\ [ransom]", "Tulach", "Alf:e5", "Blacknet rat", "Adware affiliate", "Crypt3.blxp", "Virtool", "Amadey", "Mirai", "Azorult cnc", "Emotet", "Alf:trojanspy:win32/keylogger", "Trojan:win32/emotet.arj!mtb", "Pegasus", "Telper:hstr:dotcisoffer", "Etpro", "Searchmeup", "Win.malware.midie-9950743-0", "Ransom:win32/gandcrab.e", "Win.packer.crypter-6539596-1", "Possible", "Elf:mirai-to\\ [trj]", "Skynet", "Tulach malware", "Sabey", "Trojan:win32/pariham", "Xpire.info", "Win.trojan.occamy", "Malware", "Cobalt strike", "Trojan:win32/comame", "Trojandownloader:win32/bulilit", "Trojanspy:win32/nivdort" ], "industries": [ "Technology", "Telecommunications", "Civil society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "688b0fbceab364a2b84b1124", "name": "Busybox MIORI Hackers - ongoing Aurora , Medical Campus -Mirai [by scoreblue -Team 8]", "description": "", "modified": "2025-07-31T06:39:56.204000", "created": "2025-07-31T06:39:56.204000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "66fb3c4e8a2593134641f3c0", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "262 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66fb3c4e8a2593134641f3c0", "name": "busybox MIORI Hackers - attack Aurora, Medical Campus -Mirai", "description": "*Tipped-Patient reports computers with fully locked screens log in every time she enters a room at UC Health Anshutz Campus. Unauthorized Login: http://ITSupport.UCHealth.org. Graphs deleted from Virus Total\u00bbLogin ID: 168.200.45.168 [bound]. I've tried to post pulse multiple times. IP's were contacted. Brute force attempts on my device. Anyway it's Tulach. There is a 'pro- ale' and other 'monitoring, silencing, dangerous groups' silencing crime victims, journalists, dissents, potential whistle blowers. One victim attacked physically losing health battle. Doctors unwilling to treat.Auto populated\u00bb The full text of the Mirai-TO malware, which was launched on Friday, has now been published on the website of www.forensickb.co.uk..com. hmmm...there was a counter attack.", "modified": "2024-10-30T22:04:06.705000", "created": "2024-10-01T00:03:26.199000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "558 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663b4a3d4df0c7f120a8c60c", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE [02/27/2024]", "description": "", "modified": "2024-05-08T09:47:41.535000", "created": "2024-05-08T09:47:41.535000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65de914a22e80e90ac329dce", "export_count": 1176, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "711 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3040e853a998bbd2cf", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:24.088000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3131bb8503e087d749", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:25.808000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d89cda3f0dbf62f499d", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:25.169000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d8e925459e97ca124c9", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:30.672000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "appield.support", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "appield.support", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776641902.3701184 }