{ "type": "Domain", "indicator": "backboneplugins.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/backboneplugins.com", "alexa": "http://www.alexa.com/siteinfo/backboneplugins.com", "indicator": "backboneplugins.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3744320623, "indicator": "backboneplugins.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 23, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "7 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "7 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a971ab44409ecb7018428", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:54.823000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a9718ac97804d782cc16b", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:52.614000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6569984495dfed1b14e29217", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "Active iCloud monitoring by third party. Active cyber threat.\nFound in link on iOS device: p155-fmfmobile.icloud.com\nFraud services. No data, service, or legitimate carrier", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-01T08:24:36.293000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a6956f101265e30310a0", "name": "Phishing", "description": "", "modified": "2023-12-06T16:51:33.501000", "created": "2023-12-06T16:51:33.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0b0ed49276711ff5728", "name": "Malicious Spreader \u2022 Web Content Scraper \u2022 Ransomware \u2022 Keyloggers \u2022 Command & Control", "description": "", "modified": "2023-12-06T16:26:24.648000", "created": "2023-12-06T16:26:24.648000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 899, "domain": 635, "FileHash-MD5": 1045, "FileHash-SHA1": 312, "FileHash-SHA256": 538, "URL": 1564, "email": 11, "CIDR": 13 }, "indicator_count": 5017, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0ac729cb9725b741ef7", "name": "DNS Poisoning", "description": "", "modified": "2023-12-06T16:26:20.834000", "created": "2023-12-06T16:26:20.834000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0a87b69b80bc3d231c4", "name": "Targets Dropbox \u2022 iPhone \u2022 Notepad \u2022 Emotet \u2022 Keyloggers \u2022 Malvertising \u2022 Ransomware", "description": "", "modified": "2023-12-06T16:26:16.649000", "created": "2023-12-06T16:26:16.649000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0a486cebe9b81c62539", "name": "Cyber Harassment \u2022 Trojan \u2022 Emotet \u2022 Ransomware \u2022 Spyware \u2022 Command & Control \u2022 Cameras \u2022 Defamation", "description": "", "modified": "2023-12-06T16:26:12.489000", "created": "2023-12-06T16:26:12.489000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1470, "CIDR": 13, "email": 7 }, "indicator_count": 4372, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a09d86cebe9b81c62538", "name": "Defacement \u2206 Zone- H", "description": "", "modified": "2023-12-06T16:26:05.086000", "created": "2023-12-06T16:26:05.086000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 899, "domain": 635, "FileHash-MD5": 1045, "FileHash-SHA1": 312, "FileHash-SHA256": 538, "URL": 1564, "email": 11, "CIDR": 13 }, "indicator_count": 5017, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a098968ad3812f1be143", "name": "Defense Attorney Silencing", "description": "", "modified": "2023-12-06T16:26:00.685000", "created": "2023-12-06T16:26:00.685000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0938a4b251d0f7aac7d", "name": "Attorney Malvertising \u2022 Adult Content \u2022 Ransom \u2022 Spyware \u2022 Command & Control \u2022 Camera Use \u2022 Redirects \u2022 Abuse", "description": "", "modified": "2023-12-06T16:25:55.870000", "created": "2023-12-06T16:25:55.870000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a08e9a555f128e4c9a97", "name": "Phishing+ trojan.redir+++++", "description": "", "modified": "2023-12-06T16:25:50.506000", "created": "2023-12-06T16:25:50.506000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513478e73b28e81ccda5957", "name": "Phishing ", "description": "", "modified": "2023-09-26T21:05:18.388000", "created": "2023-09-26T21:05:18.388000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e794b01067ba240b4da90a", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2803, "FileHash-MD5": 923, "FileHash-SHA1": 197, "domain": 663, "hostname": 1166, "FileHash-SHA256": 489, "CIDR": 13, "email": 7 }, "indicator_count": 6261, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "936 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7a0745f4ca1eaee3b9958", "name": "Malicious Spreader \u2022 Web Content Scraper \u2022 Ransomware \u2022 Keyloggers \u2022 Command & Control ", "description": "", "modified": "2023-09-23T18:04:00.024000", "created": "2023-08-24T18:24:52.769000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e7898e8219d8eca7d41720", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3180, "FileHash-MD5": 1197, "FileHash-SHA1": 451, "domain": 791, "hostname": 1354, "FileHash-SHA256": 823, "CIDR": 13, "email": 15 }, "indicator_count": 7824, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7898e8219d8eca7d41720", "name": "Defacement \u2206 Zone- H", "description": "", "modified": "2023-09-23T18:04:00.024000", "created": "2023-08-24T16:47:10.993000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e788f24690c384d83b31a7", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3180, "FileHash-MD5": 1197, "FileHash-SHA1": 451, "domain": 791, "hostname": 1354, "FileHash-SHA256": 823, "CIDR": 13, "email": 15 }, "indicator_count": 7824, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e788d221a9a9104f9e257e", "name": "Attorney Malvertising \u2022 Adult Content \u2022 Ransom \u2022 Spyware \u2022 Command & Control \u2022 Camera Use \u2022 Redirects \u2022 Abuse ", "description": "", "modified": "2023-09-23T16:00:22.076000", "created": "2023-08-24T16:44:02.883000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e75aa6bbbcef446f0ca285", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2803, "FileHash-MD5": 923, "FileHash-SHA1": 197, "domain": 663, "hostname": 1166, "FileHash-SHA256": 489, "CIDR": 13, "email": 7 }, "indicator_count": 6261, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e794b01067ba240b4da90a", "name": "Targets Dropbox \u2022 iPhone \u2022 Notepad \u2022 Emotet \u2022 Keyloggers \u2022 Malvertising \u2022 Ransomware ", "description": "", "modified": "2023-09-23T16:00:22.076000", "created": "2023-08-24T17:34:40.827000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e75aa6bbbcef446f0ca285", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2803, "FileHash-MD5": 923, "FileHash-SHA1": 197, "domain": 663, "hostname": 1166, "FileHash-SHA256": 489, "CIDR": 13, "email": 7 }, "indicator_count": 6261, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e788f24690c384d83b31a7", "name": "Defense Attorney Silencing ", "description": "", "modified": "2023-09-23T16:00:22.076000", "created": "2023-08-24T16:44:34.994000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e788d221a9a9104f9e257e", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2803, "FileHash-MD5": 923, "FileHash-SHA1": 197, "domain": 663, "hostname": 1166, "FileHash-SHA256": 489, "CIDR": 13, "email": 7 }, "indicator_count": 6261, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e75aa6bbbcef446f0ca285", "name": "Phishing+ trojan.redir+++++", "description": "infiltrates & deploys script that redirects user to a malicious URL or IP. Upon successful deployment, computer is (in this case) infected with multiple viruses, keyloggers, MITRE ATT&K, Cobalt Strike, Total Command & Control of microphone, camera, keyboard. Spyware, phish malicious. Attorney malvertising tactic. Used to silence, threaten, humiliate, strike fear, fram, sets up Lan to broadcast malicious behavior directed from your device. Destructive to network, all devices using network. Spreads from device to device. Older issue. A lot has been cleaned up over time. In this incident you see a target who was an alleged victim of assault. There appears to be legal activity. Most of the activity is Red Team malicious, cyber defense malicious, malicious law firm malvertising a reputation campaign , denial of service attacks, cel phone rerouting and interception on not just calls, complete service takeover. BotNetwork activities.", "modified": "2023-09-23T16:00:22.076000", "created": "2023-08-24T13:27:02.080000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2803, "FileHash-MD5": 923, "FileHash-SHA1": 197, "domain": 663, "hostname": 1166, "FileHash-SHA256": 489, "CIDR": 13, "email": 7 }, "indicator_count": 6261, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79407f372622f2f17c9e3", "name": "Cyber Harassment \u2022 Trojan \u2022 Emotet \u2022 Ransomware \u2022 Spyware \u2022 Command & Control \u2022 Cameras \u2022 Defamation ", "description": "", "modified": "2023-09-23T16:00:22.076000", "created": "2023-08-24T17:31:51.552000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e7898e8219d8eca7d41720", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2939, "FileHash-MD5": 923, "FileHash-SHA1": 197, "domain": 670, "hostname": 1178, "FileHash-SHA256": 489, "CIDR": 13, "email": 7 }, "indicator_count": 6416, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e794d621be8e0ca0cdff1c", "name": "DNS Poisoning ", "description": "", "modified": "2023-09-23T16:00:22.076000", "created": "2023-08-24T17:35:18.732000", "tags": [ "united", "as13335", "unknown", "search", "passive dns", "date", "creation date", "aaaa", "showing", "scan endpoints", "body", "open ports", "all search", "otx octoseek", "ipv4", "pulse pulses", "general full", "server", "reverse dns", "url http", "resource", "hash", "software", "kb script", "san francisco", "facebook", "cookie", "march", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "google", "dns replication", "type name", "text", "full name", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "first", "namecheap", "code", "registrar abuse", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "text text", "magic iso8859", "trid file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e794b01067ba240b4da90a", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2803, "FileHash-MD5": 923, "FileHash-SHA1": 197, "domain": 663, "hostname": 1166, "FileHash-SHA256": 489, "CIDR": 13, "email": 7 }, "indicator_count": 6261, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://notredamewormhoutnet.appleid.com/", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "applestore.net", "airinthemorning.net", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "news-publisher.pictures", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "fmfmobile.fe.apple-dns.net", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://certs.apple.com/appleistca2g1_bc.cer", "\u2193Command and Control \u2193", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "p155-fmfmobile.icloud.com", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Tinba", "Networm", "Swrort", "Union", "Zeus", "Fusioncore", "Win:zgrat", "Systweak", "Suppobox", "Trojan.agensla/msil", "Redline", "Zbot", "Wacatac.", "Softcnapp", "Xrat", "Blacknet", "Kraddare", "Nircmd", "Tiggre", "Bambernek", "Noname057", "Emotet", "Virus:dos/nanjing" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 23, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "7 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "7 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a971ab44409ecb7018428", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:54.823000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a9718ac97804d782cc16b", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:52.614000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6569984495dfed1b14e29217", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "Active iCloud monitoring by third party. Active cyber threat.\nFound in link on iOS device: p155-fmfmobile.icloud.com\nFraud services. No data, service, or legitimate carrier", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-01T08:24:36.293000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a6956f101265e30310a0", "name": "Phishing", "description": "", "modified": "2023-12-06T16:51:33.501000", "created": "2023-12-06T16:51:33.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0b0ed49276711ff5728", "name": "Malicious Spreader \u2022 Web Content Scraper \u2022 Ransomware \u2022 Keyloggers \u2022 Command & Control", "description": "", "modified": "2023-12-06T16:26:24.648000", "created": "2023-12-06T16:26:24.648000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 899, "domain": 635, "FileHash-MD5": 1045, "FileHash-SHA1": 312, "FileHash-SHA256": 538, "URL": 1564, "email": 11, "CIDR": 13 }, "indicator_count": 5017, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0ac729cb9725b741ef7", "name": "DNS Poisoning", "description": "", "modified": "2023-12-06T16:26:20.834000", "created": "2023-12-06T16:26:20.834000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0a87b69b80bc3d231c4", "name": "Targets Dropbox \u2022 iPhone \u2022 Notepad \u2022 Emotet \u2022 Keyloggers \u2022 Malvertising \u2022 Ransomware", "description": "", "modified": "2023-12-06T16:26:16.649000", "created": "2023-12-06T16:26:16.649000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1456, "CIDR": 13, "email": 7 }, "indicator_count": 4358, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0a486cebe9b81c62539", "name": "Cyber Harassment \u2022 Trojan \u2022 Emotet \u2022 Ransomware \u2022 Spyware \u2022 Command & Control \u2022 Cameras \u2022 Defamation", "description": "", "modified": "2023-12-06T16:26:12.489000", "created": "2023-12-06T16:26:12.489000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 827, "domain": 588, "FileHash-MD5": 909, "FileHash-SHA1": 186, "FileHash-SHA256": 372, "URL": 1470, "CIDR": 13, "email": 7 }, "indicator_count": 4372, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "backboneplugins.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "backboneplugins.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776636907.9900537 }