{ "type": "Domain", "indicator": "cryss.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cryss.org", "alexa": "http://www.alexa.com/siteinfo/cryss.org", "indicator": "cryss.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2944912497, "indicator": "cryss.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670ffc8487aaf80605755b62", "name": "vgt.pl (VGT.pl) or plix.pl (plix.net) 104.21.40.140 172.67.186.229", "description": "You can get help with your computer problems using the Help and Support section or via Skype or Telegram, if you want to get in touch with the support team or use the help of the UK's TalkTalk service.", "modified": "2024-12-30T17:38:55.943000", "created": "2024-10-16T17:48:52.704000", "tags": [ "pe32", "intel", "ms windows", "plik", "trojandropper", "trojan", "win32", "msil", "sha1", "sha256", "imphasz", "tekst ascii", "dane obrazu", "crlf", "dokument html", "unicode", "z bom", "rgba", "z terminatorami", "z bardzo", "utf8 unicode", "sobota", "sie usertrust", "salford o", "comodo ca", "limited st", "salt lake", "city o", "wto cze", "worldsetup c", "il l", "error", "null", "mapa", "liczba", "string", "bigint", "obiekt", "prawa autorskie", "nieznanybd", "uint8array", "android", "void", "unknown", "false", "roboto", "body", "this", "infinity", "outside", "span", "as13335", "cloudflare", "datasheet", "arkusz", "wyszukiwarka", "control panel", "support", "email", "a letter", "help", "mail", "management", "jpeg", "jfif", "dane", "dpcm", "ascii z", "dane archiwalne", "windows" ], "references": [ "https://www.plix.pl/system/companies/logos/000/000/526/original/gigainternet-logo.png", "http://plix.net", "http://www.plix.net", "https://www.plix.pl", "http://www.plix.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 291, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 516, "hostname": 705, "URL": 1831, "FileHash-SHA256": 3315, "CIDR": 4, "IPv6": 4, "IPv4": 49, "FileHash-MD5": 794, "FileHash-SHA1": 572, "email": 1, "CVE": 14 }, "indicator_count": 7805, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "517 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "779 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a9f3ad7db0aa9475e86d0", "name": "https://theanimallawfirm.com/", "description": "", "modified": "2023-12-22T21:04:18.086000", "created": "2023-12-02T03:06:34.870000", "tags": [ "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample", "n64xtx0vpihxzc", "qpyrn6pd", "detection list", "blacklist http", "cisco umbrella", "site", "site top", "alexa top", "safe site", "heur", "html", "site safe", "million", "malware", "artemis", "win64", "downldr", "presenoker", "fakealert", "riskware", "qakbot", "applicunwnt", "opencandy", "fusioncore", "cleaner", "wacatac", "exploit", "iframe", "dbatloader", "raccoon", "service", "agent", "alexa", "xtrat", "team", "phish", "deepscan", "crack", "suspicious", "phishing", "xrat", "cve201711882", "d26a", "maltiverse", "trojanspy", "united", "cyber threat", "engineering", "malicious site", "bank", "phishing site", "covid19", "facebook", "download", "emotet", "stealer", "suppobox", "downloader", "unsafe", "malicious", "smsspy", "cobalt strike", "generic", "dropper", "formbook", "unruy", "virut", "azorult", "zbot", "matsnu", "cutwail", "bradesco", "outbreak", "qbot", "bankerx", "nimda", "swrort", "adwind", "trojanx", "squirrelwaffle", "pony", "binder", "ramnit", "virustotal", "zeus", "nymaim", "simda", "runescape", "dnspionage", "redirector", "killav", "dcrat", "alien", "astaroth", "filerepmalware", "control server", "asyncrat", "redline stealer", "daum", "name verdict" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "D26A", "display_name": "D26A", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655e7e82c65d8e9106e6a227", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 592, "FileHash-SHA1": 320, "FileHash-SHA256": 1159, "URL": 1257, "domain": 1219, "hostname": 403, "CVE": 15 }, "indicator_count": 4965, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655e7ed63ab06f2006c90b1c", "name": "DNSpionage, ", "description": "", "modified": "2023-12-22T21:04:18.086000", "created": "2023-11-22T22:21:10.853000", "tags": [ "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample", "n64xtx0vpihxzc", "qpyrn6pd", "detection list", "blacklist http", "cisco umbrella", "site", "site top", "alexa top", "safe site", "heur", "html", "site safe", "million", "malware", "artemis", "win64", "downldr", "presenoker", "fakealert", "riskware", "qakbot", "applicunwnt", "opencandy", "fusioncore", "cleaner", "wacatac", "exploit", "iframe", "dbatloader", "raccoon", "service", "agent", "alexa", "xtrat", "team", "phish", "deepscan", "crack", "suspicious", "phishing", "xrat", "cve201711882", "d26a", "maltiverse", "trojanspy", "united", "cyber threat", "engineering", "malicious site", "bank", "phishing site", "covid19", "facebook", "download", "emotet", "stealer", "suppobox", "downloader", "unsafe", "malicious", "smsspy", "cobalt strike", "generic", "dropper", "formbook", "unruy", "virut", "azorult", "zbot", "matsnu", "cutwail", "bradesco", "outbreak", "qbot", "bankerx", "nimda", "swrort", "adwind", "trojanx", "squirrelwaffle", "pony", "binder", "ramnit", "virustotal", "zeus", "nymaim", "simda", "runescape", "dnspionage", "redirector", "killav", "dcrat", "alien", "astaroth", "filerepmalware", "control server", "asyncrat", "redline stealer", "daum", "name verdict" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "D26A", "display_name": "D26A", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655e7e82c65d8e9106e6a227", "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 592, "FileHash-SHA1": 320, "FileHash-SHA256": 1159, "URL": 1257, "domain": 1219, "hostname": 403, "CVE": 15 }, "indicator_count": 4965, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655e7e82c65d8e9106e6a227", "name": "https://theanimallawfirm.com/", "description": "", "modified": "2023-12-22T21:04:18.086000", "created": "2023-11-22T22:19:46.485000", "tags": [ "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample", "n64xtx0vpihxzc", "qpyrn6pd", "detection list", "blacklist http", "cisco umbrella", "site", "site top", "alexa top", "safe site", "heur", "html", "site safe", "million", "malware", "artemis", "win64", "downldr", "presenoker", "fakealert", "riskware", "qakbot", "applicunwnt", "opencandy", "fusioncore", "cleaner", "wacatac", "exploit", "iframe", "dbatloader", "raccoon", "service", "agent", "alexa", "xtrat", "team", "phish", "deepscan", "crack", "suspicious", "phishing", "xrat", "cve201711882", "d26a", "maltiverse", "trojanspy", "united", "cyber threat", "engineering", "malicious site", "bank", "phishing site", "covid19", "facebook", "download", "emotet", "stealer", "suppobox", "downloader", "unsafe", "malicious", "smsspy", "cobalt strike", "generic", "dropper", "formbook", "unruy", "virut", "azorult", "zbot", "matsnu", "cutwail", "bradesco", "outbreak", "qbot", "bankerx", "nimda", "swrort", "adwind", "trojanx", "squirrelwaffle", "pony", "binder", "ramnit", "virustotal", "zeus", "nymaim", "simda", "runescape", "dnspionage", "redirector", "killav", "dcrat", "alien", "astaroth", "filerepmalware", "control server", "asyncrat", "redline stealer", "daum", "name verdict" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "D26A", "display_name": "D26A", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 592, "FileHash-SHA1": 320, "FileHash-SHA256": 1159, "URL": 1257, "domain": 1219, "hostname": 403, "CVE": 15 }, "indicator_count": 4965, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709525ebd226605132f7bd", "name": "oh my doom server - www.thumpertalk.com", "description": "", "modified": "2023-12-06T15:37:09.014000", "created": "2023-12-06T15:37:09.014000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 669, "domain": 583, "hostname": 946, "URL": 2598, "FileHash-MD5": 12, "FileHash-SHA1": 12 }, "indicator_count": 4822, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657093d1828a41677ba40104", "name": "www.omnis.com - admin.bookszap.com", "description": "", "modified": "2023-12-06T15:31:29.983000", "created": "2023-12-06T15:31:29.983000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 415, "FileHash-SHA256": 509, "domain": 93, "hostname": 180, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 1199, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e83c28406ffed5c2e76", "name": "-child-of-light.apk - modelpush.com", "description": "", "modified": "2023-12-06T15:08:51.625000", "created": "2023-12-06T15:08:51.625000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1129, "URL": 2039, "hostname": 614, "domain": 345, "FileHash-MD5": 49, "FileHash-SHA1": 45 }, "indicator_count": 4223, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707ec3c760eea3873db672", "name": "BernieSanders.com (Pt.3)", "description": "", "modified": "2023-12-06T14:01:39.582000", "created": "2023-12-06T14:01:39.582000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1950, "hostname": 1620, "domain": 900, "URL": 6563 }, "indicator_count": 11034, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639b6c20f219ec9a2c093f48", "name": "oh my doom server - www.thumpertalk.com", "description": "otx crashed on i think the 34. aws ip's i suspect some data is missing\nThis is only one forum post url collection", "modified": "2023-01-14T17:04:27.799000", "created": "2022-12-15T18:49:04.393000", "tags": [ "bounce bmx", "facebook", "bounce", "strong", "create new", "loading", "account", "account bounce", "liked home", "photos videos", "twitter", "bts gy200", "panther", "value", "written", "good points", "extra", "bad points", "no centre", "general", "ebay", "akuma assassin", "pure rush", "x pit", "dirt bike", "stomps juicebox", "pit bikes", "quads", "fastace", "mikuni", "karma", "post subject", "back", "lexmoto", "please", "chat forums", "dab0b", "dab0b l", "plate warrior", "paddy", "ninja", "cool", "phpbb", "l plate", "warrior", "rogerborg", "rogerborg nimba", "biking", "lf250b", "burgman", "register board", "welcome", "c90 club", "skip", "quick", "faq login", "username", "remember", "hide", "register", "august", "share", "link", "kdxgarage", "kawasaki", "sign", "dub250", "ride my", "ride share", "find", "Win32:Unruy-AA\\ [Trj]", "Win.Trojan.Unruy-277", "64.190.63.111", "\"http://www.mypurerush.com/images/product/large/EG06%20exhaust%2" ], "references": [ "0002cb9cd8707906e51cdfae7c3c47234cd2617a0b8145e63c29e74e8b6dc824", "bouncebmx.html - Bounce BMX is a Facebook page where you can find out more about the sport and the people who run the page and share the content on the social network, and also about how it", "901852-loose-pipe-and-exhaust-leak.html", "http://basemaps.cartocdn.com/dark_all/%7Bz%7D/%7Bx%7D/%7By%7D.png - URL http://basemaps.cartocdn.com/light_all/%7Bz%7D/%7Bx%7D/%7By%7D.png cartocdn.com: domain", "viewtopic.php 2.html", "viewtopic.php 3.html", "4518053040.html", "You must be logged in to rate posts on the Lexmoto forum - here is the full list of posts, which can now be viewed at \u00c2\u00a320,000 or more, if you want to join the", "review185998.html", "www.mypurerush.com.html", "Mypurerush.com is a website that promotes and promotes the use of a specific product, product or service on a different website, but does not endorse any of its products or services.", "jermaine-carlyle-stratton-15278012.html", "\"http://www.mypurerush.com/images/product/large/EG06%20exhaust%20gasket%20pit%20bike%20spare%20part.jpg", "www.thumpertalk.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Unruy-AA\\ [Trj]", "display_name": "Win32:Unruy-AA\\ [Trj]", "target": null }, { "id": "Win.Trojan.Unruy-277", "display_name": "Win.Trojan.Unruy-277", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 946, "URL": 2598, "domain": 583, "FileHash-SHA256": 669, "CVE": 2, "FileHash-MD5": 12, "FileHash-SHA1": 12 }, "indicator_count": 4822, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636a8ac4c57a3326598ae16d", "name": "www.omnis.com - admin.bookszap.com", "description": "", "modified": "2022-12-08T16:03:41.680000", "created": "2022-11-08T16:58:44.437000", "tags": [ "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 415, "hostname": 180, "domain": 93, "FileHash-SHA256": 509, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 1199, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628790a98f4d08a9f26947d9", "name": "-child-of-light.apk - modelpush.com", "description": "", "modified": "2022-06-19T00:05:22.053000", "created": "2022-05-20T12:59:21.514000", "tags": [ "referrer", "april", "retn ltd", "fortunatime bot", "unifiedlayer", "kddi corp", "found", "msie", "slcc2", "windows nt", "february", "malicious", "CVE-2021-22941", "CVE-2017-0147", "://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/" ], "references": [ "https://hybrid-analysis.com/sample/fa8a5606300ad048e7d0d2e01d0bdba7d54695e77433210adc6401ee81c4d7d3/5b0ab76e7ca3e11d876276f3", "CVE-2021-22941", "CVE-2017-0147", "https://hybrid-analysis.com/sample/6460d401f5e79dcc2a68bf945ca904417ed3f19ea8281ef001a4cba7d8fd915e/5c58a4447ca3e115bc697d0e", "https://www.virustotal.com/graph/gb15530a37f4d44d9879990be0766a52268d3722fa8cf411396c51b29b7ac32e2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1129, "domain": 345, "URL": 2039, "hostname": 614, "CVE": 2, "FileHash-MD5": 49, "FileHash-SHA1": 45 }, "indicator_count": 4223, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1443 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6213f8adc8cfe3f681957ed1", "name": "BernieSanders.com (Pt.3)", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T20:40:13.490000", "tags": [ "ssl certificate", "whois record", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1620, "URL": 6563, "FileHash-SHA256": 1950, "domain": 900, "CVE": 1 }, "indicator_count": 11034, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1531 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "Thor Scan: S-I9VvMTB6cZU", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "CVE-2017-0147", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "http://plix.net", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "http://basemaps.cartocdn.com/dark_all/%7Bz%7D/%7Bx%7D/%7By%7D.png - URL http://basemaps.cartocdn.com/light_all/%7Bz%7D/%7Bx%7D/%7By%7D.png cartocdn.com: domain", "jermaine-carlyle-stratton-15278012.html", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "www.thumpertalk.com", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "review185998.html", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "https://hybrid-analysis.com/sample/fa8a5606300ad048e7d0d2e01d0bdba7d54695e77433210adc6401ee81c4d7d3/5b0ab76e7ca3e11d876276f3", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "901852-loose-pipe-and-exhaust-leak.html", "https://tria.ge/240521-q4s79agb25/static1", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "You must be logged in to rate posts on the Lexmoto forum - here is the full list of posts, which can now be viewed at \u00c2\u00a320,000 or more, if you want to join the", "CVE-2021-22941", "0002cb9cd8707906e51cdfae7c3c47234cd2617a0b8145e63c29e74e8b6dc824", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "https://www.plix.pl", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "http://www.plix.net", "viewtopic.php 2.html", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://urlscan.io/search/#ualberta.ca", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "4518053040.html", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://hybrid-analysis.com/sample/6460d401f5e79dcc2a68bf945ca904417ed3f19ea8281ef001a4cba7d8fd915e/5c58a4447ca3e115bc697d0e", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "bouncebmx.html - Bounce BMX is a Facebook page where you can find out more about the sport and the people who run the page and share the content on the social network, and also about how it", "http://www.plix.pl", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://www.virustotal.com/graph/gb15530a37f4d44d9879990be0766a52268d3722fa8cf411396c51b29b7ac32e2", "https://www.plix.pl/system/companies/logos/000/000/526/original/gigainternet-logo.png", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://tulach.cc/ [phishing]", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "AppRegistrationList.csv", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "\"http://www.mypurerush.com/images/product/large/EG06%20exhaust%20gasket%20pit%20bike%20spare%20part.jpg", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "viewtopic.php 3.html", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "https://tria.ge/240517-t9pc2ahb2t", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "0-w5-cms.ultimate-guitar.com", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "*otc.greatcall.com [Botnetwork]", "Mypurerush.com is a website that promotes and promotes the use of a specific product, product or service on a different website, but does not endorse any of its products or services.", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "www.mypurerush.com.html", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "All - EnterpriseAppsList.csv", "tulach.cc. [Malevolent | Modified description]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Out For Blood", "Qbot" ], "malware_families": [ "Trojanspy", "Win32:unruy-aa\\ [trj]", "Roblox", "Maltiverse", "Tulach malware", "Win.trojan.unruy-277", "D26a" ], "industries": [ "Education", "Government", "Technology", "Healthcare", "Civil society", "Telecommunications", "Private sector" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670ffc8487aaf80605755b62", "name": "vgt.pl (VGT.pl) or plix.pl (plix.net) 104.21.40.140 172.67.186.229", "description": "You can get help with your computer problems using the Help and Support section or via Skype or Telegram, if you want to get in touch with the support team or use the help of the UK's TalkTalk service.", "modified": "2024-12-30T17:38:55.943000", "created": "2024-10-16T17:48:52.704000", "tags": [ "pe32", "intel", "ms windows", "plik", "trojandropper", "trojan", "win32", "msil", "sha1", "sha256", "imphasz", "tekst ascii", "dane obrazu", "crlf", "dokument html", "unicode", "z bom", "rgba", "z terminatorami", "z bardzo", "utf8 unicode", "sobota", "sie usertrust", "salford o", "comodo ca", "limited st", "salt lake", "city o", "wto cze", "worldsetup c", "il l", "error", "null", "mapa", "liczba", "string", "bigint", "obiekt", "prawa autorskie", "nieznanybd", "uint8array", "android", "void", "unknown", "false", "roboto", "body", "this", "infinity", "outside", "span", "as13335", "cloudflare", "datasheet", "arkusz", "wyszukiwarka", "control panel", "support", "email", "a letter", "help", "mail", "management", "jpeg", "jfif", "dane", "dpcm", "ascii z", "dane archiwalne", "windows" ], "references": [ "https://www.plix.pl/system/companies/logos/000/000/526/original/gigainternet-logo.png", "http://plix.net", "http://www.plix.net", "https://www.plix.pl", "http://www.plix.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 291, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 516, "hostname": 705, "URL": 1831, "FileHash-SHA256": 3315, "CIDR": 4, "IPv6": 4, "IPv4": 49, "FileHash-MD5": 794, "FileHash-SHA1": 572, "email": 1, "CVE": 14 }, "indicator_count": 7805, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "517 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "779 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a9f3ad7db0aa9475e86d0", "name": "https://theanimallawfirm.com/", "description": "", "modified": "2023-12-22T21:04:18.086000", "created": "2023-12-02T03:06:34.870000", "tags": [ "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample", "n64xtx0vpihxzc", "qpyrn6pd", "detection list", "blacklist http", "cisco umbrella", "site", "site top", "alexa top", "safe site", "heur", "html", "site safe", "million", "malware", "artemis", "win64", "downldr", "presenoker", "fakealert", "riskware", "qakbot", "applicunwnt", "opencandy", "fusioncore", "cleaner", "wacatac", "exploit", "iframe", "dbatloader", "raccoon", "service", "agent", "alexa", "xtrat", "team", "phish", "deepscan", "crack", "suspicious", "phishing", "xrat", "cve201711882", "d26a", "maltiverse", "trojanspy", "united", "cyber threat", "engineering", "malicious site", "bank", "phishing site", "covid19", "facebook", "download", "emotet", "stealer", "suppobox", "downloader", "unsafe", "malicious", "smsspy", "cobalt strike", "generic", "dropper", "formbook", "unruy", "virut", "azorult", "zbot", "matsnu", "cutwail", "bradesco", "outbreak", "qbot", "bankerx", "nimda", "swrort", "adwind", "trojanx", "squirrelwaffle", "pony", "binder", "ramnit", "virustotal", "zeus", "nymaim", "simda", "runescape", "dnspionage", "redirector", "killav", "dcrat", "alien", "astaroth", "filerepmalware", "control server", "asyncrat", "redline stealer", "daum", "name verdict" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "D26A", "display_name": "D26A", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655e7e82c65d8e9106e6a227", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 592, "FileHash-SHA1": 320, "FileHash-SHA256": 1159, "URL": 1257, "domain": 1219, "hostname": 403, "CVE": 15 }, "indicator_count": 4965, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655e7ed63ab06f2006c90b1c", "name": "DNSpionage, ", "description": "", "modified": "2023-12-22T21:04:18.086000", "created": "2023-11-22T22:21:10.853000", "tags": [ "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample", "n64xtx0vpihxzc", "qpyrn6pd", "detection list", "blacklist http", "cisco umbrella", "site", "site top", "alexa top", "safe site", "heur", "html", "site safe", "million", "malware", "artemis", "win64", "downldr", "presenoker", "fakealert", "riskware", "qakbot", "applicunwnt", "opencandy", "fusioncore", "cleaner", "wacatac", "exploit", "iframe", "dbatloader", "raccoon", "service", "agent", "alexa", "xtrat", "team", "phish", "deepscan", "crack", "suspicious", "phishing", "xrat", "cve201711882", "d26a", "maltiverse", "trojanspy", "united", "cyber threat", "engineering", "malicious site", "bank", "phishing site", "covid19", "facebook", "download", "emotet", "stealer", "suppobox", "downloader", "unsafe", "malicious", "smsspy", "cobalt strike", "generic", "dropper", "formbook", "unruy", "virut", "azorult", "zbot", "matsnu", "cutwail", "bradesco", "outbreak", "qbot", "bankerx", "nimda", "swrort", "adwind", "trojanx", "squirrelwaffle", "pony", "binder", "ramnit", "virustotal", "zeus", "nymaim", "simda", "runescape", "dnspionage", "redirector", "killav", "dcrat", "alien", "astaroth", "filerepmalware", "control server", "asyncrat", "redline stealer", "daum", "name verdict" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "D26A", "display_name": "D26A", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655e7e82c65d8e9106e6a227", "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 592, "FileHash-SHA1": 320, "FileHash-SHA256": 1159, "URL": 1257, "domain": 1219, "hostname": 403, "CVE": 15 }, "indicator_count": 4965, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655e7e82c65d8e9106e6a227", "name": "https://theanimallawfirm.com/", "description": "", "modified": "2023-12-22T21:04:18.086000", "created": "2023-11-22T22:19:46.485000", "tags": [ "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample", "n64xtx0vpihxzc", "qpyrn6pd", "detection list", "blacklist http", "cisco umbrella", "site", "site top", "alexa top", "safe site", "heur", "html", "site safe", "million", "malware", "artemis", "win64", "downldr", "presenoker", "fakealert", "riskware", "qakbot", "applicunwnt", "opencandy", "fusioncore", "cleaner", "wacatac", "exploit", "iframe", "dbatloader", "raccoon", "service", "agent", "alexa", "xtrat", "team", "phish", "deepscan", "crack", "suspicious", "phishing", "xrat", "cve201711882", "d26a", "maltiverse", "trojanspy", "united", "cyber threat", "engineering", "malicious site", "bank", "phishing site", "covid19", "facebook", "download", "emotet", "stealer", "suppobox", "downloader", "unsafe", "malicious", "smsspy", "cobalt strike", "generic", "dropper", "formbook", "unruy", "virut", "azorult", "zbot", "matsnu", "cutwail", "bradesco", "outbreak", "qbot", "bankerx", "nimda", "swrort", "adwind", "trojanx", "squirrelwaffle", "pony", "binder", "ramnit", "virustotal", "zeus", "nymaim", "simda", "runescape", "dnspionage", "redirector", "killav", "dcrat", "alien", "astaroth", "filerepmalware", "control server", "asyncrat", "redline stealer", "daum", "name verdict" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "D26A", "display_name": "D26A", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 592, "FileHash-SHA1": 320, "FileHash-SHA256": 1159, "URL": 1257, "domain": 1219, "hostname": 403, "CVE": 15 }, "indicator_count": 4965, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cryss.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cryss.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780319596.0389533 }