{ "type": "Domain", "indicator": "bodybuilders.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bodybuilders.com", "alexa": "http://www.alexa.com/siteinfo/bodybuilders.com", "indicator": "bodybuilders.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3333163624, "indicator": "bodybuilders.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "65c4b7b44b63ea6ea0c503d8", "name": "Sabey targeting | Gains access to premier Denver Recording Studio", "description": "Intellectual property accessed and distributed. \nSabey and company have access, storage and at will control. Ransomware. Active threat. Likelihood of Pegasus abuse.. Critical alert. Reckless predatory type with motives, tools, knowledge, and colleagues continue cyberstalking and in person contact with SA survivor. Carelessly attacking systems of business and facilities target likely to use, This behavior puts others at risk.", "modified": "2024-03-09T10:04:19.572000", "created": "2024-02-08T11:15:00.329000", "tags": [ "malware", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber espionage", "studio created", "minutes ago", "white goldmax", "sibot", "goldfinder", "python", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "pulses cve", "threat analyzer", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "sample", "urls https", "filehashsha1", "filehashmd5", "ipv4", "types of", "united kingdom", "united", "india", "china", "search", "pega type", "united states", "url https", "added active", "related pulses", "backdoor type", "discovery", "command", "all octoseek", "formbook", "goldmax", "ransomware", "njrat", "hacktool", "maui ransomware", "worm", "next", "type indicator", "role title", "go", "sabey", "tulach", "targeting tsara brashears", "utah", "whois record", "contacted", "ssl certificate", "referrer", "whois whois", "resolutions", "collections", "bundled", "execution", "lokibot", "tracer tool", "c2", "command and control", "sabey", "targeting", "hacking apple" ], "references": [ "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)", "https://sabeydatacenters.com/", "sabeydatacenters.com", "4jslg.sabeydatacenters.com", "https://sabeydatacenters.com/", "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0", "https://tulach.cc/ | [phishing | malware engineering]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing | data collection | property theft | target]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Go", "display_name": "Go", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Entertainment", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 422, "domain": 240, "hostname": 495, "CVE": 1, "FileHash-MD5": 75, "FileHash-SHA1": 73, "FileHash-SHA256": 843, "email": 2 }, "indicator_count": 2151, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b6b54d59d24b1522364fd6", "name": "AiCloud - Comcast Dnspionage", "description": "AiCloud, a cloud-based app that connects to Apple and Google, has been compromised by a malicious virus.", "modified": "2024-02-27T19:04:14.842000", "created": "2024-01-28T20:13:01.311000", "tags": [ "prefetch8", "command decode", "prefetch1", "suricata ipv4", "suricata udpv4", "mitre att", "united", "ck id", "show technique", "ck matrix", "date", "hybrid", "general", "click", "strings", "contact", "passive dns", "as7922 comcast", "x ua", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "meta", "status", "creation date", "search", "record value", "expiration date", "name servers", "next", "ai cloud", "cname", "as7018 att", "win32", "entries", "unknown", "body", "no redirect", "dynamicloader", "msie", "windows nt", "as16509", "medium", "default", "show", "copy", "powershell", "write", "pegasus", "apple mobile", "content", "nso group", "apple web", "apple app capable", "typosquatting", "spyware", "epoch" ], "references": [ "c-67-181-73-197.hsd1.ca.comcast.net", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 522, "URL": 1194, "domain": 440, "FileHash-SHA256": 1528, "CVE": 1, "email": 2, "FileHash-MD5": 297, "FileHash-SHA1": 297 }, "indicator_count": 4281, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b806e2724db65b47cf66e0", "name": "AiCloud - Comcast Dnspionage", "description": "", "modified": "2024-02-27T19:04:14.842000", "created": "2024-01-29T20:13:22.271000", "tags": [ "prefetch8", "command decode", "prefetch1", "suricata ipv4", "suricata udpv4", "mitre att", "united", "ck id", "show technique", "ck matrix", "date", "hybrid", "general", "click", "strings", "contact", "passive dns", "as7922 comcast", "x ua", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "meta", "status", "creation date", "search", "record value", "expiration date", "name servers", "next", "ai cloud", "cname", "as7018 att", "win32", "entries", "unknown", "body", "no redirect", "dynamicloader", "msie", "windows nt", "as16509", "medium", "default", "show", "copy", "powershell", "write", "pegasus", "apple mobile", "content", "nso group", "apple web", "apple app capable", "typosquatting", "spyware", "epoch" ], "references": [ "c-67-181-73-197.hsd1.ca.comcast.net", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": "65b6b54d59d24b1522364fd6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 522, "URL": 1194, "domain": 440, "FileHash-SHA256": 1528, "CVE": 1, "email": 2, "FileHash-MD5": 297, "FileHash-SHA1": 297 }, "indicator_count": 4281, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3af07b73d51dc4bb9efbc", "name": "Phrishing and MiSL, at odomou.com", "description": "Lots of communicating files, mostly misl amd phishing but also a few other random baddiez.", "modified": "2023-09-10T13:02:26.487000", "created": "2023-07-28T12:05:27.845000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 489, "FileHash-MD5": 135, "FileHash-SHA1": 129, "URL": 316, "domain": 341, "hostname": 219, "CVE": 1 }, "indicator_count": 1630, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "994 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing | data collection | property theft | target]", "https://tulach.cc/ | [phishing | malware engineering]", "sabeydatacenters.com", "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0", "c-67-181-73-197.hsd1.ca.comcast.net", "https://sabeydatacenters.com/", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe", "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)", "4jslg.sabeydatacenters.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Goldfinder", "Pegasus", "Sabey", "Ransomware", "Hacktool", "Tulach", "Sibot", "Maui ransomware", "Go", "Trojandownloader:win32/cutwail", "Njrat", "Androidoverlaymalware - mob-s0012" ], "industries": [ "Entertainment", "Telecommunications", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "65c4b7b44b63ea6ea0c503d8", "name": "Sabey targeting | Gains access to premier Denver Recording Studio", "description": "Intellectual property accessed and distributed. \nSabey and company have access, storage and at will control. Ransomware. Active threat. Likelihood of Pegasus abuse.. Critical alert. Reckless predatory type with motives, tools, knowledge, and colleagues continue cyberstalking and in person contact with SA survivor. Carelessly attacking systems of business and facilities target likely to use, This behavior puts others at risk.", "modified": "2024-03-09T10:04:19.572000", "created": "2024-02-08T11:15:00.329000", "tags": [ "malware", "scan endpoints", "all search", "otx octoseek", "report spam", "author", "cyber espionage", "studio created", "minutes ago", "white goldmax", "sibot", "goldfinder", "python", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "pulses cve", "threat analyzer", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "sample", "urls https", "filehashsha1", "filehashmd5", "ipv4", "types of", "united kingdom", "united", "india", "china", "search", "pega type", "united states", "url https", "added active", "related pulses", "backdoor type", "discovery", "command", "all octoseek", "formbook", "goldmax", "ransomware", "njrat", "hacktool", "maui ransomware", "worm", "next", "type indicator", "role title", "go", "sabey", "tulach", "targeting tsara brashears", "utah", "whois record", "contacted", "ssl certificate", "referrer", "whois whois", "resolutions", "collections", "bundled", "execution", "lokibot", "tracer tool", "c2", "command and control", "sabey", "targeting", "hacking apple" ], "references": [ "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)", "https://sabeydatacenters.com/", "sabeydatacenters.com", "4jslg.sabeydatacenters.com", "https://sabeydatacenters.com/", "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0", "https://tulach.cc/ | [phishing | malware engineering]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing | data collection | property theft | target]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Go", "display_name": "Go", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Entertainment", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 422, "domain": 240, "hostname": 495, "CVE": 1, "FileHash-MD5": 75, "FileHash-SHA1": 73, "FileHash-SHA256": 843, "email": 2 }, "indicator_count": 2151, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b6b54d59d24b1522364fd6", "name": "AiCloud - Comcast Dnspionage", "description": "AiCloud, a cloud-based app that connects to Apple and Google, has been compromised by a malicious virus.", "modified": "2024-02-27T19:04:14.842000", "created": "2024-01-28T20:13:01.311000", "tags": [ "prefetch8", "command decode", "prefetch1", "suricata ipv4", "suricata udpv4", "mitre att", "united", "ck id", "show technique", "ck matrix", "date", "hybrid", "general", "click", "strings", "contact", "passive dns", "as7922 comcast", "x ua", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "meta", "status", "creation date", "search", "record value", "expiration date", "name servers", "next", "ai cloud", "cname", "as7018 att", "win32", "entries", "unknown", "body", "no redirect", "dynamicloader", "msie", "windows nt", "as16509", "medium", "default", "show", "copy", "powershell", "write", "pegasus", "apple mobile", "content", "nso group", "apple web", "apple app capable", "typosquatting", "spyware", "epoch" ], "references": [ "c-67-181-73-197.hsd1.ca.comcast.net", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 522, "URL": 1194, "domain": 440, "FileHash-SHA256": 1528, "CVE": 1, "email": 2, "FileHash-MD5": 297, "FileHash-SHA1": 297 }, "indicator_count": 4281, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b806e2724db65b47cf66e0", "name": "AiCloud - Comcast Dnspionage", "description": "", "modified": "2024-02-27T19:04:14.842000", "created": "2024-01-29T20:13:22.271000", "tags": [ "prefetch8", "command decode", "prefetch1", "suricata ipv4", "suricata udpv4", "mitre att", "united", "ck id", "show technique", "ck matrix", "date", "hybrid", "general", "click", "strings", "contact", "passive dns", "as7922 comcast", "x ua", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "meta", "status", "creation date", "search", "record value", "expiration date", "name servers", "next", "ai cloud", "cname", "as7018 att", "win32", "entries", "unknown", "body", "no redirect", "dynamicloader", "msie", "windows nt", "as16509", "medium", "default", "show", "copy", "powershell", "write", "pegasus", "apple mobile", "content", "nso group", "apple web", "apple app capable", "typosquatting", "spyware", "epoch" ], "references": [ "c-67-181-73-197.hsd1.ca.comcast.net", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": "65b6b54d59d24b1522364fd6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 522, "URL": 1194, "domain": 440, "FileHash-SHA256": 1528, "CVE": 1, "email": 2, "FileHash-MD5": 297, "FileHash-SHA1": 297 }, "indicator_count": 4281, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3af07b73d51dc4bb9efbc", "name": "Phrishing and MiSL, at odomou.com", "description": "Lots of communicating files, mostly misl amd phishing but also a few other random baddiez.", "modified": "2023-09-10T13:02:26.487000", "created": "2023-07-28T12:05:27.845000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 489, "FileHash-MD5": 135, "FileHash-SHA1": 129, "URL": 316, "domain": 341, "hostname": 219, "CVE": 1 }, "indicator_count": 1630, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "994 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bodybuilders.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bodybuilders.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780272320.1601043 }