{ "type": "Domain", "indicator": "augenta.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/augenta.com", "alexa": "http://www.alexa.com/siteinfo/augenta.com", "indicator": "augenta.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2236821915, "indicator": "augenta.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6a03f318b2e654e26402adaa", "name": "\" New Sample of REvil Ransomware - REvil Returned?\" by SteamMiningEx", "description": "", "modified": "2026-05-13T05:26:35.084000", "created": "2026-05-13T03:42:16.083000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65708d5530ef54f76f70777b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 802, "FileHash-MD5": 209, "FileHash-SHA1": 198, "domain": 517, "hostname": 8, "URL": 2 }, "indicator_count": 1736, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c795bb826e6067f37ea127", "name": "'3' clone by credit: krishivpatel", "description": "", "modified": "2026-03-28T08:47:55.537000", "created": "2026-03-28T08:47:55.537000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66cc6e2c6c5bb617fa7fa892", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "63 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "617af11f370d993aeff26e71", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2025-08-25T16:22:33.668000", "created": "2021-10-28T18:51:11.197000", "tags": [ "REvil", "Kaseya", "VSA Server", "ransomware" ], "references": [ "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "REvil", "display_name": "REvil", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "60df80a7a665c1dd6baf7753", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1177, "hostname": 5, "YARA": 4 }, "indicator_count": 1233, "is_author": false, "is_subscribing": null, "subscriber_count": 564, "modified_text": "278 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6862f3dfadf9868777a97d96", "name": "LokiBot \u2022 Denver Apartments & Townhomes for Rent |", "description": "| ENDGAME |\n\u2022 ALF:Trojan:MSIL/LokiBot.BY!MTBv\n\u2022 Win32:MalwareX-gen\\ [Trj\n| w3.org - 324 malicious files communicating |\n{https://otx.alienvault.com/indicator/file/4fe0a2474da348b703e074cd0e951b09b1152bb9c571eddc268e4ee82178ca0f}\n\n\u2022 Trojan:Win32/Gepys.PVS!MTB\tMalware infection\n\u2022 www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\n\u2022 www.endgame.com/\n(Researcher: CHRIS KRAYBILL?? | Emails\tG5DEV@G5SEARCHMARKETING.COM | Chief Technology Officer of Amplion, Inc)\n! SELL.INTERNETTRAFFIC.COM !\nDescribed as Upscale living.\nMonitoring/Hacking/ Targeting/ Crime/ Keyloggers\n\nUnsafe connections & logging.\n[404/Snake/Matiex Keylogger Style External IP Check\nPossible HTTP 403 XSS Attempt (Local Source)\nDYNAMIC_DNS Query to *.duckdns. Domain]\n[https://otx.alienvault.com/indicator/file/4fe0a2474da348b703e074cd0e951b09b1152bb9c571eddc268e4ee82178ca0f]", "modified": "2025-07-30T20:03:49.035000", "created": "2025-06-30T20:30:23.414000", "tags": [ "passive dns", "urls", "files ip", "address", "moved", "script urls", "creation date", "search", "record value", "date", "body", "x cache", "hio50 c1", "x amz", "read c", "document file", "v2 document", "tls handshake", "failure", "write", "show", "port", "destination", "copy", "malware", "next", "domains show", "domain related", "memcommit", "cryptexportkey", "invalid pointer", "medium", "icmp traffic", "t1055", "http", "memreserve", "windows", "checks amount", "msie", "windows nt", "wow64", "slcc2", "media center", "hostname", "files domain", "files related", "pulses none", "related tags", "none google", "safe browsing", "no expiration", "url https", "expiration", "domain", "sec ch", "ch ua", "ua full", "ua platform", "united", "cname", "present jun", "entries", "ip address", "name servers", "showing", "domain add", "present may", "next associated", "urls show", "date checked", "url hostname", "response ip", "address google", "present sep", "present dec", "present nov", "unique", "url add", "pulse pulses", "related nids", "files location", "code", "present apr", "status", "private name", "org domains", "proxy", "llc address", "road city", "us creation", "domain name", "aaaa", "trojan", "yara detections", "alerts", "analysis date", "file score", "mtb yara", "detections none", "related pulses", "none related", "win32", "expiration date", "title error", "hostname add", "pulse submit", "entries http", "scans record", "value", "a domains", "server", "gmt content", "length", "flywheel", "sea x", "miss x", "accept", "meta", "pulses", "tags", "otx telemetry", "twitter running", "open ports", "certificate", "cookie", "flag united", "local", "unknown ns", "unknown soa", "external ip", "process32nextw", "lookup", "dyndns checkip", "address server", "response", "savbwcd", "ef3ghigj", "abxcde", "unknown", "info", "amazon", "amazon rsa", "location united", "asn as16509", "whois registrar", "none indicator", "facts otx", "referral url", "solutions", "whois server", "query", "contacted", "pulse", "av detections", "ids detections", "detections" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 576, "FileHash-SHA1": 534, "hostname": 212, "URL": 149, "domain": 683, "email": 10, "FileHash-SHA256": 1925, "SSLCertFingerprint": 1 }, "indicator_count": 4090, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a5c2445cf4bbf984e98861", "name": "Social Engineering Crime Victims into Tracking Botnets | Fraud", "description": "Social Engineering 'S' Assault Victims into Tracking Botnets. This goes against basic human rights. An organization named 'The Blue Bench' referred victim to The Initiative for advocacy. She was social engineered, severely compromised and sent diverted from 'The Blue Bench' Colorado. They denied treatment for assault victim in 2022, while The Initiative ' Brian Sabey's stuff, tracked and hijacked phone and location, conversations.\nAuto-populated: \"Last HTTPS certificate\" is the last one to be issued on the internet, according to the website, and it is believed to have been signed by a member of the US government.", "modified": "2024-08-27T03:05:18.727000", "created": "2024-07-28T04:00:04.773000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cc6e2c6c5bb617fa7fa892", "name": "3", "description": "", "modified": "2024-08-27T03:05:18.727000", "created": "2024-08-26T11:59:40.174000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66a5c2445cf4bbf984e98861", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Krishivpatel", "id": "292085", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708d5530ef54f76f70777b", "name": "New Sample of REvil Ransomware - REvil Returned?", "description": "", "modified": "2023-12-06T15:03:49.881000", "created": "2023-12-06T15:03:49.881000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 800, "FileHash-MD5": 198, "FileHash-SHA1": 198, "domain": 419, "hostname": 5 }, "indicator_count": 1620, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707c3be05f3a7ea9e654d4", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2023-12-06T13:50:51.719000", "created": "2023-12-06T13:50:51.719000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1178, "hostname": 5, "YARA": 4 }, "indicator_count": 1234, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707bedc2fbc934427f325c", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2023-12-06T13:49:33.291000", "created": "2023-12-06T13:49:33.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1179, "hostname": 5, "YARA": 4 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6273e73af82e7127ef0c570e", "name": "New Sample of REvil Ransomware - REvil Returned?", "description": "A New sample of REvil has emerged almost a year after the major Attack on Kaseya.", "modified": "2022-06-04T00:03:57.626000", "created": "2022-05-05T15:03:22.128000", "tags": [ "REvil", "Sodinokibi" ], "references": [ "https://www.virustotal.com/graph/0c10cf1b1640c9c845080f460ee69392bfaac981a4407b607e8e30d2ddf903e8", "https://blog.malwarebytes.com/ransomware/2022/05/its-business-as-usual-for-revil-ransomware/", "https://twitter.com/JakubKroustek/status/1520135975262957568/photo/2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Revil", "display_name": "Ransom:Win32/Revil", "target": "/malware/Ransom:Win32/Revil" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 198, "FileHash-SHA256": 800, "domain": 419, "hostname": 5 }, "indicator_count": 1620, "is_author": false, "is_subscribing": null, "subscriber_count": 246, "modified_text": "1457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621fd4c1be7e76f7aab76706", "name": "OTX - Threat Intelligence 2", "description": "bad urls", "modified": "2022-03-02T20:34:09.389000", "created": "2022-03-02T20:34:09.389000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tejcamil", "id": "166775", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 208, "hostname": 2 }, "indicator_count": 210, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1550 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60df80a7a665c1dd6baf7753", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2022-02-18T14:52:05.251000", "created": "2021-07-02T21:09:59.361000", "tags": [ "REvil", "Kaseya", "VSA Server", "ransomware" ], "references": [ "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "REvil", "display_name": "REvil", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vthelpdesk", "id": "1766", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_1766/resized/80/avatar_0be7a35fab.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1179, "hostname": 5, "YARA": 4 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 624, "modified_text": "1562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door.", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "https://www.virustotal.com/graph/0c10cf1b1640c9c845080f460ee69392bfaac981a4407b607e8e30d2ddf903e8", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "Victim was then given numbers to workers compensation doctors who didn't speak English", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "https://blog.malwarebytes.com/ransomware/2022/05/its-business-as-usual-for-revil-ransomware/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "https://twitter.com/JakubKroustek/status/1520135975262957568/photo/2", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Ransom:win32/revil", "Revil" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6a03f318b2e654e26402adaa", "name": "\" New Sample of REvil Ransomware - REvil Returned?\" by SteamMiningEx", "description": "", "modified": "2026-05-13T05:26:35.084000", "created": "2026-05-13T03:42:16.083000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65708d5530ef54f76f70777b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 802, "FileHash-MD5": 209, "FileHash-SHA1": 198, "domain": 517, "hostname": 8, "URL": 2 }, "indicator_count": 1736, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c795bb826e6067f37ea127", "name": "'3' clone by credit: krishivpatel", "description": "", "modified": "2026-03-28T08:47:55.537000", "created": "2026-03-28T08:47:55.537000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66cc6e2c6c5bb617fa7fa892", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "63 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "617af11f370d993aeff26e71", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2025-08-25T16:22:33.668000", "created": "2021-10-28T18:51:11.197000", "tags": [ "REvil", "Kaseya", "VSA Server", "ransomware" ], "references": [ "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "REvil", "display_name": "REvil", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "60df80a7a665c1dd6baf7753", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1177, "hostname": 5, "YARA": 4 }, "indicator_count": 1233, "is_author": false, "is_subscribing": null, "subscriber_count": 564, "modified_text": "278 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6862f3dfadf9868777a97d96", "name": "LokiBot \u2022 Denver Apartments & Townhomes for Rent |", "description": "| ENDGAME |\n\u2022 ALF:Trojan:MSIL/LokiBot.BY!MTBv\n\u2022 Win32:MalwareX-gen\\ [Trj\n| w3.org - 324 malicious files communicating |\n{https://otx.alienvault.com/indicator/file/4fe0a2474da348b703e074cd0e951b09b1152bb9c571eddc268e4ee82178ca0f}\n\n\u2022 Trojan:Win32/Gepys.PVS!MTB\tMalware infection\n\u2022 www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\n\u2022 www.endgame.com/\n(Researcher: CHRIS KRAYBILL?? | Emails\tG5DEV@G5SEARCHMARKETING.COM | Chief Technology Officer of Amplion, Inc)\n! SELL.INTERNETTRAFFIC.COM !\nDescribed as Upscale living.\nMonitoring/Hacking/ Targeting/ Crime/ Keyloggers\n\nUnsafe connections & logging.\n[404/Snake/Matiex Keylogger Style External IP Check\nPossible HTTP 403 XSS Attempt (Local Source)\nDYNAMIC_DNS Query to *.duckdns. Domain]\n[https://otx.alienvault.com/indicator/file/4fe0a2474da348b703e074cd0e951b09b1152bb9c571eddc268e4ee82178ca0f]", "modified": "2025-07-30T20:03:49.035000", "created": "2025-06-30T20:30:23.414000", "tags": [ "passive dns", "urls", "files ip", "address", "moved", "script urls", "creation date", "search", "record value", "date", "body", "x cache", "hio50 c1", "x amz", "read c", "document file", "v2 document", "tls handshake", "failure", "write", "show", "port", "destination", "copy", "malware", "next", "domains show", "domain related", "memcommit", "cryptexportkey", "invalid pointer", "medium", "icmp traffic", "t1055", "http", "memreserve", "windows", "checks amount", "msie", "windows nt", "wow64", "slcc2", "media center", "hostname", "files domain", "files related", "pulses none", "related tags", "none google", "safe browsing", "no expiration", "url https", "expiration", "domain", "sec ch", "ch ua", "ua full", "ua platform", "united", "cname", "present jun", "entries", "ip address", "name servers", "showing", "domain add", "present may", "next associated", "urls show", "date checked", "url hostname", "response ip", "address google", "present sep", "present dec", "present nov", "unique", "url add", "pulse pulses", "related nids", "files location", "code", "present apr", "status", "private name", "org domains", "proxy", "llc address", "road city", "us creation", "domain name", "aaaa", "trojan", "yara detections", "alerts", "analysis date", "file score", "mtb yara", "detections none", "related pulses", "none related", "win32", "expiration date", "title error", "hostname add", "pulse submit", "entries http", "scans record", "value", "a domains", "server", "gmt content", "length", "flywheel", "sea x", "miss x", "accept", "meta", "pulses", "tags", "otx telemetry", "twitter running", "open ports", "certificate", "cookie", "flag united", "local", "unknown ns", "unknown soa", "external ip", "process32nextw", "lookup", "dyndns checkip", "address server", "response", "savbwcd", "ef3ghigj", "abxcde", "unknown", "info", "amazon", "amazon rsa", "location united", "asn as16509", "whois registrar", "none indicator", "facts otx", "referral url", "solutions", "whois server", "query", "contacted", "pulse", "av detections", "ids detections", "detections" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 576, "FileHash-SHA1": 534, "hostname": 212, "URL": 149, "domain": 683, "email": 10, "FileHash-SHA256": 1925, "SSLCertFingerprint": 1 }, "indicator_count": 4090, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a5c2445cf4bbf984e98861", "name": "Social Engineering Crime Victims into Tracking Botnets | Fraud", "description": "Social Engineering 'S' Assault Victims into Tracking Botnets. This goes against basic human rights. An organization named 'The Blue Bench' referred victim to The Initiative for advocacy. She was social engineered, severely compromised and sent diverted from 'The Blue Bench' Colorado. They denied treatment for assault victim in 2022, while The Initiative ' Brian Sabey's stuff, tracked and hijacked phone and location, conversations.\nAuto-populated: \"Last HTTPS certificate\" is the last one to be issued on the internet, according to the website, and it is believed to have been signed by a member of the US government.", "modified": "2024-08-27T03:05:18.727000", "created": "2024-07-28T04:00:04.773000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cc6e2c6c5bb617fa7fa892", "name": "3", "description": "", "modified": "2024-08-27T03:05:18.727000", "created": "2024-08-26T11:59:40.174000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66a5c2445cf4bbf984e98861", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Krishivpatel", "id": "292085", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708d5530ef54f76f70777b", "name": "New Sample of REvil Ransomware - REvil Returned?", "description": "", "modified": "2023-12-06T15:03:49.881000", "created": "2023-12-06T15:03:49.881000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 800, "FileHash-MD5": 198, "FileHash-SHA1": 198, "domain": 419, "hostname": 5 }, "indicator_count": 1620, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707c3be05f3a7ea9e654d4", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2023-12-06T13:50:51.719000", "created": "2023-12-06T13:50:51.719000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1178, "hostname": 5, "YARA": 4 }, "indicator_count": 1234, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707bedc2fbc934427f325c", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2023-12-06T13:49:33.291000", "created": "2023-12-06T13:49:33.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1179, "hostname": 5, "YARA": 4 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6273e73af82e7127ef0c570e", "name": "New Sample of REvil Ransomware - REvil Returned?", "description": "A New sample of REvil has emerged almost a year after the major Attack on Kaseya.", "modified": "2022-06-04T00:03:57.626000", "created": "2022-05-05T15:03:22.128000", "tags": [ "REvil", "Sodinokibi" ], "references": [ "https://www.virustotal.com/graph/0c10cf1b1640c9c845080f460ee69392bfaac981a4407b607e8e30d2ddf903e8", "https://blog.malwarebytes.com/ransomware/2022/05/its-business-as-usual-for-revil-ransomware/", "https://twitter.com/JakubKroustek/status/1520135975262957568/photo/2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Revil", "display_name": "Ransom:Win32/Revil", "target": "/malware/Ransom:Win32/Revil" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 198, "FileHash-SHA256": 800, "domain": 419, "hostname": 5 }, "indicator_count": 1620, "is_author": false, "is_subscribing": null, "subscriber_count": 246, "modified_text": "1457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "augenta.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "augenta.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780206080.6813734 }