{ "type": "Domain", "indicator": "blationmedia.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/blationmedia.com", "alexa": "http://www.alexa.com/siteinfo/blationmedia.com", "indicator": "blationmedia.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 214879, "indicator": "blationmedia.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a0720634ea305e1776cb0df", "name": "credit: OctoSeek [\u2022Sakula Rat | Porn Name Change\u2022]", "description": "", "modified": "2026-05-15T13:32:19.730000", "created": "2026-05-15T13:32:19.730000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6681f3bd6a8701371811709b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a88fd21eefde90f63d599a", "name": "morsecorp.com", "description": "MA unsigned dnssec scanning host", "modified": "2026-04-03T22:17:43.738000", "created": "2026-03-04T20:02:26.028000", "tags": [ "united", "unknown", "as8987 amazon", "as13335", "date", "status", "as44273 host", "cname", "aaaa", "gmt content" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "URL": 66, "domain": 317, "hostname": 50, "email": 1 }, "indicator_count": 437, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667f591470ecb21b4ad041a5", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters", "description": "brassiere.world a brazzersporn redirect. Malicious Sakula RAT. Orbiters including Brian Sabey, Mile High Media Legal 2257. If this is legal then it's time to make significant change.", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-29T00:45:08.323000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6681f3bd6a8701371811709b", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters ", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-07-01T00:09:33.078000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "667f591470ecb21b4ad041a5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666d1488316880c73e04054e", "name": "Prorat.19.i | Backdoor:Win32/Tofsee.T - Amazon.com | iOS | Denver", "description": "Targets family members device attacked while shopping on Amazon.com using an obviously device compromised, newer, fully updated iOS device. \nAmazon legal? [legal-choice.ru, youla.legal, https://www.effectv.com/legal/advertiser-terms-and-conditions]\n[applehealthcare.com apple-rehab.com: Backdoor:Win32/Tofsee.T]\nAdversarial CnC over devices and networks.\nRelentless attacks.", "modified": "2024-07-15T03:03:34.888000", "created": "2024-06-15T04:11:52.737000", "tags": [ "server", "hostmaster", "amazon legal", "dept", "amazon", "street", "stateprovince", "postal code", "view whois", "whois record", "date", "contact", "threat roundup", "november", "march", "december", "february", "october", "january", "highly targeted", "data", "boost mobile", "formbook", "response final", "url https", "ip address", "status code", "body length", "kb body", "sha256", "headers", "ord52c2 via", "cloudfront", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "june", "click", "strings", "error", "tools", "look", "verify", "restart", "unknown", "embeddedwb", "windows", "search", "medium", "united", "show", "whitelisted", "shellexecuteexw", "msie", "tofsee", "service", "write", "win32", "malware", "copy", "a nxdomain", "passive dns", "domain", "scan endpoints", "all scoreblue", "pulse pulses", "urls", "files", "ip related", "process32nextw", "components", "writeconsolew", "copy c", "delete c", "query", "useruin", "delphi", "capture", "install", "prorat", "url http", "http", "related nids", "files location", "regsetvalueexa", "hx88x89", "regbinary", "x95xd3xa4", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "x93xaf", "stream", "persistence", "execution", "creation date", "entries", "as44273 host", "record value", "status", "nxdomain", "content type", "accept", "gmt server", "gmt etag", "accept encoding", "ipv4", "path", "pragma", "name servers", "west domains", "hostname", "next", "asnone germany", "as21499 host", "singapore", "france", "object", "com cnt", "dem fin", "found", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "levelblue", "open threat", "meta", "a div", "div div", "france unknown", "ok server", "type", "seychelles", "whitesky", "as29182 jsc", "showing", "as24940 hetzner", "moved", "expiration date", "aaaa", "russia", "as15169 google", "germany", "emails", "germany unknown", "a domains", "body doctype", "html public", "ietfdtd html", "finland", "asnone iran", "iran", "td tr", "td td", "tbody", "tr tr", "domains", "backdoor", "apple", "radio hacking", "voicestram", "listening", "trojan", "twitter", "servers", "vbs", "data center", "avg clamav", "msdefender sep", "vitro mar", "Win32:Vitro", "target: tsara brashears", "target: brashears personal devices", "target: whitesky communication network", "target: accounting firm devices", "targets: intellectual property", "redrum", "open", "tr tbody", "rsa ca", "apache", "as7922 comcast", "pulse submit", "url analysis", "epss", "impact", "cve cve20178977", "exploits", "targeted", "cve overview", "media" ], "references": [ "Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com", "cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network", "High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall", "Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383", "network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features", "Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports", "Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com", "message.htm.com | Ransomware", "www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN", "htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net", "https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com", "applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com", "Some items found relates to research exploited against or researched by target: disabled_duck", "Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26", "Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae", "Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268", "3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147", "3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot", "3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs", "3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin", "3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn", "3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,", "85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login", "87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ", "87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0", "CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977", "CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882" ], "public": 1, "adversary": "", "targeted_countries": [ "Seychelles", "Netherlands", "France", "United States of America" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win32:BackdoorX-gen\\ [Trj]", "display_name": "Win32:BackdoorX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Tofsee-6840338-0", "display_name": "Win.Trojan.Tofsee-6840338-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Dursg.K", "display_name": "Trojan:Win32/Dursg.K", "target": "/malware/Trojan:Win32/Dursg.K" }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Downloader-42770", "display_name": "Win.Trojan.Downloader-42770", "target": null }, { "id": "TrojanDownloader:JS/Nemucod.QJ", "display_name": "TrojanDownloader:JS/Nemucod.QJ", "target": "/malware/TrojanDownloader:JS/Nemucod.QJ" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "Win.Trojan.Magania-13720", "display_name": "Win.Trojan.Magania-13720", "target": null }, { "id": "Win32:Sality", "display_name": "Win32:Sality", "target": null }, { "id": "Win.Trojan.Swisyn-6819", "display_name": "Win.Trojan.Swisyn-6819", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Win.Trojan.Agent-1313630", "display_name": "Win.Trojan.Agent-1313630", "target": null }, { "id": "Crypt_r.BCM", "display_name": "Crypt_r.BCM", "target": null }, { "id": "ALF:AGGR:Exploit:O97M/CVE-2017-11882", "display_name": "ALF:AGGR:Exploit:O97M/CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [ "Retail", "Technology", "Telecommunications", "Civil Society", "Online Shopping", "Legal" ], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1965, "hostname": 1378, "domain": 1922, "FileHash-SHA256": 2639, "FileHash-MD5": 386, "FileHash-SHA1": 377, "email": 11, "CVE": 2 }, "indicator_count": 8680, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "685 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f8e7071260c9427929391f", "name": "AS44273 host europe gmbh", "description": "", "modified": "2024-04-18T00:00:00.444000", "created": "2024-03-19T01:14:47.809000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 98 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "773 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147", "3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login", "Some items found relates to research exploited against or researched by target: disabled_duck", "youngcoders.ng", "IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports", "Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "https://www.pornhub.com/video/search?search=tsara+brashears", "www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26", "3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977", "3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977", "htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net", "Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com", "Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com", "message.htm.com | Ransomware", "network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features", "https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383", "3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot", "Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com", "High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall", "3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0", "Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae", "Sakula RAT: www.polarroute.com", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win.trojan.downloader-42770", "Win.trojan.magania-13720", "Win32:trojan-gen", "Win32:sality", "Sakula rat", "Alf:exploit:o97m/cve-2017-8977", "Win32:salicode", "Crypt_r.bcm", "Alf:aggr:exploit:o97m/cve-2017-11882", "Alf:heraklezeval:virtool:win32/waledac!rfn", "Win.trojan.swisyn-6819", "Win.trojan.tofsee-6840338-0", "Trojandownloader:js/nemucod.qj", "Win32:backdoorx-gen\\ [trj]", "Sakula", "Win.packer.pkr_ce1a-9980177-0", "Trojan:win32/dursg.k", "Win32:kamso", "Trojandownloader:win32/banload", "Backdoor:win32/tofsee.t", "Win.trojan.agent-1313630" ], "industries": [ "Legal", "Telecommunications", "Civil society", "Technology", "Retail", "Online shopping" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a0720634ea305e1776cb0df", "name": "credit: OctoSeek [\u2022Sakula Rat | Porn Name Change\u2022]", "description": "", "modified": "2026-05-15T13:32:19.730000", "created": "2026-05-15T13:32:19.730000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6681f3bd6a8701371811709b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a88fd21eefde90f63d599a", "name": "morsecorp.com", "description": "MA unsigned dnssec scanning host", "modified": "2026-04-03T22:17:43.738000", "created": "2026-03-04T20:02:26.028000", "tags": [ "united", "unknown", "as8987 amazon", "as13335", "date", "status", "as44273 host", "cname", "aaaa", "gmt content" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "URL": 66, "domain": 317, "hostname": 50, "email": 1 }, "indicator_count": 437, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667f591470ecb21b4ad041a5", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters", "description": "brassiere.world a brazzersporn redirect. Malicious Sakula RAT. Orbiters including Brian Sabey, Mile High Media Legal 2257. If this is legal then it's time to make significant change.", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-29T00:45:08.323000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6681f3bd6a8701371811709b", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters ", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-07-01T00:09:33.078000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "667f591470ecb21b4ad041a5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666d1488316880c73e04054e", "name": "Prorat.19.i | Backdoor:Win32/Tofsee.T - Amazon.com | iOS | Denver", "description": "Targets family members device attacked while shopping on Amazon.com using an obviously device compromised, newer, fully updated iOS device. \nAmazon legal? [legal-choice.ru, youla.legal, https://www.effectv.com/legal/advertiser-terms-and-conditions]\n[applehealthcare.com apple-rehab.com: Backdoor:Win32/Tofsee.T]\nAdversarial CnC over devices and networks.\nRelentless attacks.", "modified": "2024-07-15T03:03:34.888000", "created": "2024-06-15T04:11:52.737000", "tags": [ "server", "hostmaster", "amazon legal", "dept", "amazon", "street", "stateprovince", "postal code", "view whois", "whois record", "date", "contact", "threat roundup", "november", "march", "december", "february", "october", "january", "highly targeted", "data", "boost mobile", "formbook", "response final", "url https", "ip address", "status code", "body length", "kb body", "sha256", "headers", "ord52c2 via", "cloudfront", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "june", "click", "strings", "error", "tools", "look", "verify", "restart", "unknown", "embeddedwb", "windows", "search", "medium", "united", "show", "whitelisted", "shellexecuteexw", "msie", "tofsee", "service", "write", "win32", "malware", "copy", "a nxdomain", "passive dns", "domain", "scan endpoints", "all scoreblue", "pulse pulses", "urls", "files", "ip related", "process32nextw", "components", "writeconsolew", "copy c", "delete c", "query", "useruin", "delphi", "capture", "install", "prorat", "url http", "http", "related nids", "files location", "regsetvalueexa", "hx88x89", "regbinary", "x95xd3xa4", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "x93xaf", "stream", "persistence", "execution", "creation date", "entries", "as44273 host", "record value", "status", "nxdomain", "content type", "accept", "gmt server", "gmt etag", "accept encoding", "ipv4", "path", "pragma", "name servers", "west domains", "hostname", "next", "asnone germany", "as21499 host", "singapore", "france", "object", "com cnt", "dem fin", "found", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "levelblue", "open threat", "meta", "a div", "div div", "france unknown", "ok server", "type", "seychelles", "whitesky", "as29182 jsc", "showing", "as24940 hetzner", "moved", "expiration date", "aaaa", "russia", "as15169 google", "germany", "emails", "germany unknown", "a domains", "body doctype", "html public", "ietfdtd html", "finland", "asnone iran", "iran", "td tr", "td td", "tbody", "tr tr", "domains", "backdoor", "apple", "radio hacking", "voicestram", "listening", "trojan", "twitter", "servers", "vbs", "data center", "avg clamav", "msdefender sep", "vitro mar", "Win32:Vitro", "target: tsara brashears", "target: brashears personal devices", "target: whitesky communication network", "target: accounting firm devices", "targets: intellectual property", "redrum", "open", "tr tbody", "rsa ca", "apache", "as7922 comcast", "pulse submit", "url analysis", "epss", "impact", "cve cve20178977", "exploits", "targeted", "cve overview", "media" ], "references": [ "Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com", "cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network", "High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall", "Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383", "network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features", "Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports", "Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com", "message.htm.com | Ransomware", "www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN", "htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net", "https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com", "applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com", "Some items found relates to research exploited against or researched by target: disabled_duck", "Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26", "Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae", "Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268", "3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147", "3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot", "3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs", "3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin", "3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn", "3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,", "85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login", "87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ", "87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0", "CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977", "CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882" ], "public": 1, "adversary": "", "targeted_countries": [ "Seychelles", "Netherlands", "France", "United States of America" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win32:BackdoorX-gen\\ [Trj]", "display_name": "Win32:BackdoorX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Tofsee-6840338-0", "display_name": "Win.Trojan.Tofsee-6840338-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Dursg.K", "display_name": "Trojan:Win32/Dursg.K", "target": "/malware/Trojan:Win32/Dursg.K" }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Downloader-42770", "display_name": "Win.Trojan.Downloader-42770", "target": null }, { "id": "TrojanDownloader:JS/Nemucod.QJ", "display_name": "TrojanDownloader:JS/Nemucod.QJ", "target": "/malware/TrojanDownloader:JS/Nemucod.QJ" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "Win.Trojan.Magania-13720", "display_name": "Win.Trojan.Magania-13720", "target": null }, { "id": "Win32:Sality", "display_name": "Win32:Sality", "target": null }, { "id": "Win.Trojan.Swisyn-6819", "display_name": "Win.Trojan.Swisyn-6819", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Win.Trojan.Agent-1313630", "display_name": "Win.Trojan.Agent-1313630", "target": null }, { "id": "Crypt_r.BCM", "display_name": "Crypt_r.BCM", "target": null }, { "id": "ALF:AGGR:Exploit:O97M/CVE-2017-11882", "display_name": "ALF:AGGR:Exploit:O97M/CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [ "Retail", "Technology", "Telecommunications", "Civil Society", "Online Shopping", "Legal" ], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1965, "hostname": 1378, "domain": 1922, "FileHash-SHA256": 2639, "FileHash-MD5": 386, "FileHash-SHA1": 377, "email": 11, "CVE": 2 }, "indicator_count": 8680, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "685 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f8e7071260c9427929391f", "name": "AS44273 host europe gmbh", "description": "", "modified": "2024-04-18T00:00:00.444000", "created": "2024-03-19T01:14:47.809000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 98 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "773 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "blationmedia.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "blationmedia.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780227366.6186447 }