{ "type": "Domain", "indicator": "downname.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/downname.com", "alexa": "http://www.alexa.com/siteinfo/downname.com", "indicator": "downname.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2893804918, "indicator": "downname.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "66e846796e72bee6be87c110", "name": "C:\\Program Files\\Microsoft Office\\root\\", "description": "C:\\Program Files\\Microsoft Office\\root\\\n\nIocs sampled from the directory: C:\\Program Files\\Microsoft Office\\root\\ (from an infected windows 11 sample PC)\nNot complete, will expand upon it later.\nUnder C:\\Program Files\\Microsoft Office there is...\n4x File Folders, 3x Edge HTML Docs", "modified": "2024-10-16T19:04:17.209000", "created": "2024-09-16T14:53:45.370000", "tags": [ "entity", "please", "javascript", "clientid", "platformwin32", "buildship", "architecturex86", "osbuild7601", "channeldcwin7", "installtypec2r", "sessionid" ], "references": [ "https://www.virustotal.com/graph/embed/g8c4e1b9704cb478f92c4fbb255016abe5beee3a86be54a118c68677c8976dcf7?theme=dark", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/iocs", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 3981, "URL": 685, "domain": 476, "hostname": 748 }, "indicator_count": 6178, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eff46bdd371899ca5be7d7", "name": "CrypterX-gen | Video-lal.com | M. Brian Sabey \u2022 Hall Render | Rexxfield", "description": "Videolal results. Parked. Owner of domain has subsidiaries including Huge Domains. It's possible for attacker to post a 404 error page, park, post it for sale, malvertize. HoneyPotBot? \n\nFireeye. A bit much. william.ballenthin@fireeye.com\t\ncontain a resource (.rsrc) section moritz.raabe@fireeye.com. Overkill. What would Scooby Doo? Scooby!? \nTarget reports opening her MacBook Pro after it was replaced by Apple. It hadn't been in use. She opened it, surprised it was on, automatically connected to a store wifi (she was home) A worker was typing away in terminal. Fought hacker for recordings app containing Jeffrey Reimers aggressions. She lost. Terrified she murdered her MacBook by drowning & dismemberment. Big mistake. Cloned MacBook. Clicked on links trigger malicious downloads, network & DNS issues.", "modified": "2024-04-11T04:01:24.166000", "created": "2024-03-12T06:21:31.484000", "tags": [ "upatre malware", "rwi dtools", "page dow", "security", "bitfender", "yandex", "malware", "all octoseek", "av detections", "ids detections", "yara detections", "alerts", "file score", "fireeye", "injection", "worm", "trojan", "network", "poster", "honeybots", "united", "unknown", "win32upatre mar", "passive dns", "entries", "ipv4", "body", "artro", "generic malware", "formbook", "tag count", "threat report", "ip summary", "url summary", "generic", "hostnames", "pattern match", "ascii text", "png image", "root ca", "file", "authority", "indicator", "mitre att", "ck id", "class", "date", "enterprise", "hybrid", "accept", "general", "local", "click", "strings", "trident", "as47846", "germany unknown", "as2906 netflix", "scan endpoints", "domain", "urls", "files", "trojanspy", "mozilla", "dynamicloader", "medium", "title", "ms windows", "head", "intel", "inetsim http", "delete c", "show", "winnt", "copy", "powershell", "write", "next", "suspicious", "shop", "graph api", "status", "join", "vt community", "api key", "xcitium verdict", "cloud", "contacted", "contacted urls", "ssl certificate", "referrer", "historical ssl", "parent domain", "apple ios", "resolutions", "execution", "hacktool", "outbound connection", "detection list", "blacklist" ], "references": [ "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Win32.Renos/Artro", "display_name": "Win32.Renos/Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "I-Worm/Bagle.QE", "display_name": "I-Worm/Bagle.QE", "target": null }, { "id": "Worm.Bagle-44", "display_name": "Worm.Bagle-44", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "Win.Trojan.Generic-9897526-0", "display_name": "Win.Trojan.Generic-9897526-0", "target": null }, { "id": "Win.Trojan.Knigsfot-125", "display_name": "Win.Trojan.Knigsfot-125", "target": null }, { "id": "ALF:TrojanDownloader:Win32/Vadokrist.A", "display_name": "ALF:TrojanDownloader:Win32/Vadokrist.A", "target": null }, { "id": "Win.Trojan.Generic-9957168-0", "display_name": "Win.Trojan.Generic-9957168-0", "target": null }, { "id": "Win.Adware.RelevantKnowledge-9821121-0", "display_name": "Win.Adware.RelevantKnowledge-9821121-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "display_name": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1622, "FileHash-SHA1": 934, "FileHash-SHA256": 3289, "URL": 9605, "domain": 2321, "hostname": 2411, "CVE": 1, "email": 3 }, "indicator_count": 20186, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e3d1a94659d50264a78fd4", "name": "Phishing | TabExplorer attacks compromised networks and devices", "description": "", "modified": "2024-04-02T01:01:20.068000", "created": "2024-03-03T01:26:01.043000", "tags": [ "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "suricata udpv4", "date", "united", "windows nt", "win64", "hybrid", "general", "click", "strings", "contact", "url http", "url https", "scan endpoints", "all octoseek", "report spam", "hour ago", "whois record", "glasgow", "scan", "iocs", "next", "filehashsha256", "filehashmd5", "filehashsha1", "ipv4", "contacted", "execution", "pe resource", "communicating", "urls http", "referrer", "resolutions", "whois whois", "collections ip", "phishing", "attack", "loaded module", "remote procedure call", "search", "as15133 verizon", "passive dns", "urls", "creation date", "record value", "showing", "unknown", "as8075", "as15169 google", "as8068", "aaaa", "cname", "a domains", "meta", "entries", "gmt server", "ecacc saa83dd", "cobalt strike", "mozilla", "body", "brian sabey", "hallrender", "dynamicloader", "show", "alerts", "trojan", "copy", "dynamic", "medium", "reads", "write", "stealth network", "stealth_network", "script urls", "certificate", "rsa sha256", "exports data", "high", "yara rule", "yara detections", "njrat", "cape", "njrat malware", "sniffs", "guard", "write c", "delete c", "ms windows", "default", "intel", "openpgp public", "stream", "antivm_generic_disk", "antivm_generic_bios", "network_bind", "stealth_file spawns_dev_utility", "procmem_yara", "enumerates_physical_drives", "persistence_ads", "dynamic_function_loading", "reads_self", "suspicious_command_tools", "network", "rat" ], "references": [ "http://www.tabxexplorer.com [phishing]", "http://www.tabxexplorer.com/lenovo", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "identity_helper.exe", "cdn.easykeys.com", "hive21.ctcsoftware.com", "www.moxa.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Tulach Malware: 114.114.114.114", "ns3.hallgrandsale.ru", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Yara Detection: Nullsoft_NSIS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "HackTool:Win32/Atosev.A", "display_name": "HackTool:Win32/Atosev.A", "target": "/malware/HackTool:Win32/Atosev.A" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Win.Malware.Generickdz-9938530-0", "display_name": "Win.Malware.Generickdz-9938530-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5551, "hostname": 1690, "domain": 929, "FileHash-SHA256": 2696, "FileHash-MD5": 405, "FileHash-SHA1": 315, "email": 4, "SSLCertFingerprint": 1 }, "indicator_count": 11591, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "790 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e24b157718e7ddf71765db", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:33.521000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e24b1cd80668c22e7e1c7a", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:40.078000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a2418a73d5d36efff0b0f7", "name": "Lotus -Game-Version-Update.exe | trojan.onlinegames/aoks", "description": "Potentially downloads with other malware. Remote. Downloads installer. Alerts victim of a compromise, (through an update)attempts to have user purchases fix.", "modified": "2024-02-12T06:00:23.986000", "created": "2024-01-13T07:53:46.481000", "tags": [ "langchinese", "rtcursor", "rtgroupcursor", "lotus", "regsetvalueexa", "write", "search", "regdword", "create c", "read c", "trojan", "copy", "win32", "malware", "agent", "unknown", "next", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "gameid0 http", "please", "xport", "malware infection", "default", "crlf line", "unicode", "showing", "show", "medium", "compiler", "submission", "vhash", "imphash", "rich pe", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "simplified", "sections", "sha256 file", "type type", "chi2", "vs2003", "highlights", "file", "file version", "description", "original", "internal name", "version", "portable", "info compiler", "products", "whois record", "contacted", "pe resource", "whois whois", "historical ssl", "ssl certificate", "resolutions", "subdomains", "referrer", "pippidxsd", "execution", "stealer", "benjamin", "worm", "rar", "pe", "pexee", "crack", "remote", "download", "registrar abuse", "date", "redacted for", "server", "letshost", "domain status", "registry tech", "registrar whois", "contact email", "registry domain", "code", "service", "algorithm", "first", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "win32 dll", "ace utilities", "unhackme", "type name", "wextract", "total commander", "powerpack", "windows doctor", "tagwrapcore", "communicating", "51260032", "61760164", "bundled", "scam", "password", "fraud services", "cybercrime" ], "references": [ "Game-Version-Update.exe", "File: 2373aaec6f38bb129aab12741f2d8be237e0629db1f50206bae0ebefd959815a", "history.ie", "Yara ruleset match: Windows_API_Function by InQuest Labs", "registry-commander.exe", "password-recovery-tools-2012-professional-trial.exe", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [how could this be in everything!?]", "https://www.anyxxxtube.net/media/favicon/apple", "https://mail.greycroft.com/owa/redir.aspx?SURL=zRgJdPcEmzMcui5aPZuMhrMWFaQp7UWJt7B48ki50f3tl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwBpAHQAdQBuAGUAcwAuAGEAcABwAGwAZQAuAGMAbwBtAC8AdQBzAC8AYQBwAHAALwBhAG4AaQBtAGEAdABpAGMALQBiAHkALQBpAG4AawBiAG8AYQByAGQALwBpAGQAMQAwADUAMgAzADcAOQAxADUANAA_AGwAcwA9ADEAJgBtAHQAPQA4AA..&URL=https://itunes.apple.com/us/app/animatic-by-inkboard/id1052379154?ls=1&mt=8", "https://mediacherry.space/vn/vb/wheel/?key=eyJ0aW1lc3RhbXAiOiIxNzA0ODcwMzc2IiwiaGFzaCI6ImI5OWQ3ODQ3NTIyMDA5NTBmNmRiODY1NmUxNWY5YWMyZTc3MGExMTcifQ==&ccc=VN&ppp=PropellerAds:Popunder&tdom=www.a1000.online&zoneid=6534225&bemobdata=c=2f8cb72d-d2e6-4570-b258-aeb3acc53b24..l=6d25aa09-cccc-4797-aef4-7aa11d1e0dcb..a=0..b=0..z=0.000035..e=768844675632074752..c1=6534225..c2=7541054..c3=VN..c4=wireless..c5=viettel_mobile-vn..c6=other..c7=chrome..c8=27..c9=viettelcorporation..c10=Mozilla/5~BEMOB_DOT~0(Linux;Android10;K", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:Agent-AOKS\\ [Trj]", "display_name": "Win32:Agent-AOKS\\ [Trj]", "target": null }, { "id": "Win.Trojan.Bho-136", "display_name": "Win.Trojan.Bho-136", "target": null }, { "id": "Trojan:Win32/BHO.CV", "display_name": "Trojan:Win32/BHO.CV", "target": "/malware/Trojan:Win32/BHO.CV" }, { "id": "trojan.onlinegames/aoks", "display_name": "trojan.onlinegames/aoks", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "CRACK_UnHackMe_sigma.rar", "display_name": "CRACK_UnHackMe_sigma.rar", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 679, "FileHash-SHA1": 630, "FileHash-SHA256": 4958, "URL": 4966, "domain": 437, "hostname": 1429, "email": 1 }, "indicator_count": 13100, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "840 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e254b734f1efd8bd0ad", "name": "1688.com .. 404-\u963f\u91cc\u5df4\u5df4", "description": "", "modified": "2023-12-06T15:07:17.380000", "created": "2023-12-06T15:07:17.380000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1645, "URL": 8598, "domain": 1004, "hostname": 2066, "FileHash-MD5": 3 }, "indicator_count": 13316, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708cee75cb524822443805", "name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120", "description": "", "modified": "2023-12-06T15:02:05.972000", "created": "2023-12-06T15:02:05.972000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6174, "FileHash-SHA256": 1762, "domain": 693, "email": 2, "hostname": 1343, "FileHash-MD5": 115, "FileHash-SHA1": 107, "CVE": 2 }, "indicator_count": 10198, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c37c54dd9e78f85c0fa", "name": "\u7ea2\u674f\u89c6\u9891 malware", "description": "", "modified": "2023-12-06T14:59:03.859000", "created": "2023-12-06T14:59:03.859000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "hostname": 2218, "URL": 5740, "domain": 901, "FileHash-MD5": 3 }, "indicator_count": 10548, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6280921bfbaf2aace62511f1", "name": "1688.com .. 404-\u963f\u91cc\u5df4\u5df4", "description": "Alibaba", "modified": "2022-06-14T00:00:05.659000", "created": "2022-05-15T05:39:39.040000", "tags": [ "typeerror", "object", "typeof t", "symbol", "typeof e", "typeof self", "webpackrequire", "typeof n", "json", "math", "body", "copyright", "apoorv saxena", "typeof", "typeof define", "detect ie", "typeof document", "substring", "\u963f\u91cc\u5df4\u5df4\uff0c1688\uff0c\u5fae\u5546\uff0c\u5fae\u5e97\uff0c\u8d27\u6e90\uff0c\u5973\u88c5\u6279\u53d1\uff0c\u7537\u88c5\uff0cb2b\uff0c\u6279\u53d1\uff0c\u91c7\u8d2d", "typeof symbol", "promise", "error", "date", "createclass", "array", "this", "typeof lib", "null", "mozilla", "regexp", "typeof require", "xmlhttprequest", "license", "xdomainrequest", "aplusscore", "s1e4", "cfunction", "html5", "span", "button", "android", "jupdate", "void", "webview", "kraken", "nundefined", "xfunction", "zfunction", "chrome", "xuexi", "nullj", "area", "mtopwvplugin", "activexobject", "post", "options", "function", "head", "delete", "false", "trace", "patch", "unknown", "alipay", "ff6a00", "opacity100", "opacity0", "f2f3f7", "e6e7eb", "f7f8fa", "helvetica neue", "helvetica", "tahoma", "arial", "\u963f\u91cc\u5df4\u5df4\uff0c\u91c7\u8d2d\u6279\u53d1\uff0c1688\uff0c\u884c\u4e1a\u95e8\u6237\uff0c\u7f51\u4e0a\u8d38\u6613\uff0cb2b\uff0c\u7535\u5b50\u5546\u52a1\uff0c\u5185\u8d38\uff0c\u5916\u8d38\uff0c\u6279\u53d1\uff0c\u884c\u4e1a\u8d44\u8baf\uff0c\u7f51\u4e0a\u8d38\u6613\uff0c\u7f51\u4e0a\u4ea4\u6613\uff0c\u4ea4\u6613\u5e02\u573a\uff0c\u5728", "1688", "1000", "yunos", "lazada", "http response", "gmt contenttype", "vary" ], "references": [ "xfe-URL-1688.com-stix2-2.1-export.json", "xfe-IP-47.89.52.178-stix2-2.1-export.json", "https://page.1688.com/shtml/static/wrongpage.html", "http://polyfill.alicdn.com/", "xfe-URL-Alijk.com-stix2-2.1-export.json", "http://i.alicdn.com/", "http://is.alicdn.com/", "http://1688.com/", "https://mind.1688.com/wap/wapsy/dke4eosa0/index.html?no_cache=true&pageId=1150842&cms_id=1150842&src=desktop", "xfe-URL-mind.1688.com-stix2-2.1-export.json", "https://g.alicdn.com/secdev/sufei_data/3.9.9/index.js", "https://g.alicdn.com/alilog/mlog/aplus_wap.js", "https://mind.1688.com/zsh/zsh/d9my57ugj/index.html", "https://gw.alipayobjects.com/os/lib/lozad/1.16.0/dist/lozad.min.js", "http://g.alicdn.com/assets-group/croco/0.0.8/index.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8598, "hostname": 2066, "domain": 1004, "FileHash-SHA256": 1645, "FileHash-MD5": 3 }, "indicator_count": 13316, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626bdc17d4519e2619a504da", "name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120", "description": "", "modified": "2022-05-30T00:00:40.928000", "created": "2022-04-29T12:37:43.880000", "tags": [ "irr.blizzard.com", "irr.blizzard.com.", "24.105.29.24", "CVE-2018-8120" ], "references": [ "https://hybrid-analysis.com/sample/0046d22f2c6d0d3805d3ac393a5e9a6d22fbdf4c536accc953c0ad6016180e2f/626bcef6f5f0f643c216c84c", "https://hybrid-analysis.com/sample/60efb7ca24b6996a44c919d50ebcffe4092591ab15e6acda03f6a459ee96646e/626bd048a7193d6c1b3e9910", "https://hybrid-analysis.com/sample/95121783365a25ff1016eb630deaf5ee50456295161604553fb27ac30b5f1cfe/626bce701d2fd7781b6f8653", "https://hybrid-analysis.com/sample/e22d8ea5dc8732defed6c17b4bec3fbdf092aa86df4f4b80c768037fd59397ac/626bc2368590ef23a25053b4", "74.203.211.12:1433", "irr.blizzard.com. 24.105.29.24", "https://www.virustotal.com/graph/g909fda2b00874cfcac059078fd24495c5ac4a8b219cd4b8fb8108b19dab31ad8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1343, "URL": 6174, "domain": 693, "FileHash-SHA256": 1762, "FileHash-MD5": 115, "CVE": 2, "FileHash-SHA1": 107, "email": 2 }, "indicator_count": 10198, "is_author": false, "is_subscribing": null, "subscriber_count": 410, "modified_text": "1463 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62606584633e2b9a3bc935b9", "name": "\u7ea2\u674f\u89c6\u9891 malware", "description": "function s(t,e), o, is a new type of function, which throws new TypeError when it comes to trying to make a function out of its own language or its form.", "modified": "2022-05-20T00:01:19.453000", "created": "2022-04-20T19:56:52.162000", "tags": [ "typeof t", "typeof define", "moztransform", "success", "error", "make sure", "stop", "ajax", "action", "click", "open", "active", "button", "toggle btn", "body", "scroll", "isotope", "preloader", "function", "javascript", "mit license", "typeof module", "gplv3", "license", "copyright", "metafizzy", "math", "typeof", "typeerror", "hidden", "show", "typeof n", "version", "hide", "focusin", "focusout", "shown", "startr", "endr", "federico zivolo", "distributed", "html", "statict", "flip", "regexp", "null", "void", "width", "object", "pseudo", "child", "class", "date", "accept", "webpackrequire", "name", "number", "arraybuffer", "iterator", "typedarray", "prototype", "string", "index", "meta", "target", "infinity", "zero", "epsilon", "observer", "android", "trim", "enumerate", "freeze", "internal", "bind", "window", "next", "find", "this", "rest", "middle", "canvas", "slidercaptcha", "createelement", "textdanger", "plugin", "rgba", "imagedata", "false", "touchstart", "trident", "applewebkit", "safari", "base", "presto", "gecko", "khtml", "micromessenger", "typeof e", "swiper", "most", "september", "customevent", "image", "typeof c", "twitter", "bootstrap", "rolemenu", "typeof f", "typeof g", "cookie plugin", "https", "klaus hartl", "register", "nodecommonjs", "factory", "jquery", "write", "typeof b", "array", "sufeffxa0", "attr", "\u706b\u7bad\u5185\u6d4b\u7b7e\u540d", "0x1d9131", "0x180bcc", "0x4b6177", "0x13f349", "0x3bcb54", "0xbbe80d", "0x57b7de", "0x2ea74e", "0x4fb0f2", "0x25f113", "push", "shift", "tencent", "barrio", "slice", "symbol", "typeof window", "maximum", "typeof symbol", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "ufe0fg", "ud83dudc6cud83c", "ud83dudc6dud83c", "welcome", "datav66d78640", "datav2f8052f5", "90deg", "datav5f1e575c", "datave97d7462", "helvetica neue", "helvetica", "10px", "pingfang sc", "arial", "45deg", "typenumber", "opacity0", "mozopacity0", "khtmlopacity0", "opacity100", "event", "boolean", "uint8array", "errordetails", "info", "checker", "generator", "blink", "keepalive", "4096", "unknown", "meteor", "rhino", "mini", "comment", "verify", "yeke", "codec", "media", "live", "speed", "headname", "axiostimeout", "apiurl", "bmi86hjtsk", "root", "length", "indexof", "x0ax20x20x20x20", "location", "0x10", "0x18", "history", "config", "cookie", "onload", "video", "afunction", "indexnotice", "sitehome", "x20trnf", "please", "strong" ], "references": [ "xfe-URL-sys95.com-stix2-2.1-export.json", "https://2001.habyc.com/?channelNo=2001#/home", "https://sdk.51.la/event/js-sdk-event.min.js?u=JdoUNv3VSW0GHUpw", "https://2001.habyc.com/static/js/chunk-7d5d3bac.efb700c7.js", "https://sdk.51.la/js-sdk-pro.min.js", "https://2001.habyc.com/js/config.js", "xfe-URL-2001.habyc.com-stix2-2.1-export.json", "https://2001.habyc.com/static/js/chunk-vendors.9d7684f4.js", "xfe-URL-habyc.com-stix2-2.1-export.json", "https://2001.habyc.com/static/css/chunk-vendors.6a41b67e.css", "https://2001.habyc.com/static/css/app.88afcfd8.css", "https://2001.habyc.com/static/css/chunk-7d5d3bac.e1a32335.css", "https://2001.dwlww.com/?channelNo=2001#/home", "https://2001.dwlww.com/static/js/chunk-7d5d3bac.efb700c7.js", "https://2001.dwlww.com/js/config.js", "https://2001.dwlww.com/static/js/chunk-vendors.9d7684f4.js", "https://2001.dwlww.com/static/js/app.9d5d18d7.js", "https://2001.dwlww.com/static/css/chunk-vendors.6a41b67e.css", "https://2001.dwlww.com/static/css/app.88afcfd8.css", "https://2001.dwlww.com/static/css/chunk-7d5d3bac.e1a32335.css", "https://www.tidio.com/talk/kv6vcosd7tmhsetmarsoawzaglejnny4", "https://chatting.page/kv6vcosd7tmhsetmarsoawzaglejnny4", "https://widget-v4.tidiochat.com/code/kv6vcosd7tmhsetmarsoawzaglejnny4.js", "https://m4244.com:35003/", "https://www.8098.app:21568/?agent=7691755704", "https://www.8098.app:21568/js/jquery-1.11.3.min.js", "https://www.8098.app:21568/js/xinstall_inner_e.min.js?v=1004", "https://app.ynsdty.cn//package/GmCC6WISh", "https://app.ynsdty.cn/dist/js/jquery.min.js", "https://app.ynsdty.cn/dist/js/jquery.cookie.js", "https://app.ynsdty.cn/dist/vendors/bootstrap/js/bootstrap.min.js", "https://app.ynsdty.cn/dist/vendors/swiper/swiper.min.js", "https://app.ynsdty.cn/dist/js/app.base.js", "https://app.ynsdty.cn/dist/js/longbow.slidercaptcha.js", "https://app.ynsdty.cn/dist/vendors/core-js/core.js", "xfe-URL-sun.net.hk-stix2-2.1-export.json", "https://www.sunnetwork.com.sg/sun_21/js/vendor/jquery-3.5.0.min.js", "https://www.sunnetwork.com.sg/sun_21/js/popper.min.js", "https://www.sunnetwork.com.sg/sun_21/js/bootstrap.min.js", "https://www.sunnetwork.com.sg/sun_21/js/isotope.pkgd.min.js", "https://www.sunnetwork.com.sg/sun_21/js/imagesloaded.pkgd.min.js", "https://www.sunnetwork.com.sg/sun_21/js/main.js", "https://www.sunnetwork.com.sg/sun_21/js/ajax-form.js", "https://www.sunnetwork.com.sg/sun_21/js/slick.min.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 901, "URL": 5740, "hostname": 2218, "FileHash-SHA256": 1686, "FileHash-MD5": 3 }, "indicator_count": 10548, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://g.alicdn.com/alilog/mlog/aplus_wap.js", "https://app.ynsdty.cn/dist/vendors/bootstrap/js/bootstrap.min.js", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "https://www.sunnetwork.com.sg/sun_21/js/isotope.pkgd.min.js", "xfe-URL-sys95.com-stix2-2.1-export.json", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "https://2001.dwlww.com/static/css/chunk-vendors.6a41b67e.css", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/graph", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "xfe-URL-habyc.com-stix2-2.1-export.json", "https://2001.habyc.com/static/css/chunk-vendors.6a41b67e.css", "https://g.alicdn.com/secdev/sufei_data/3.9.9/index.js", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "xfe-URL-2001.habyc.com-stix2-2.1-export.json", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://www.8098.app:21568/js/jquery-1.11.3.min.js", "xfe-URL-mind.1688.com-stix2-2.1-export.json", "http://1688.com/", "https://www.sunnetwork.com.sg/sun_21/js/slick.min.js", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "http://is.alicdn.com/", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "https://2001.dwlww.com/static/js/chunk-7d5d3bac.efb700c7.js", "https://2001.dwlww.com/static/css/chunk-7d5d3bac.e1a32335.css", "Tulach Malware: 114.114.114.114", "https://hybrid-analysis.com/sample/60efb7ca24b6996a44c919d50ebcffe4092591ab15e6acda03f6a459ee96646e/626bd048a7193d6c1b3e9910", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "IDS Detections Zusy Variant CnC Checkin", "https://2001.dwlww.com/js/config.js", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "https://www.sunnetwork.com.sg/sun_21/js/popper.min.js", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [how could this be in everything!?]", "https://widget-v4.tidiochat.com/code/kv6vcosd7tmhsetmarsoawzaglejnny4.js", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "https://mail.greycroft.com/owa/redir.aspx?SURL=zRgJdPcEmzMcui5aPZuMhrMWFaQp7UWJt7B48ki50f3tl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwBpAHQAdQBuAGUAcwAuAGEAcABwAGwAZQAuAGMAbwBtAC8AdQBzAC8AYQBwAHAALwBhAG4AaQBtAGEAdABpAGMALQBiAHkALQBpAG4AawBiAG8AYQByAGQALwBpAGQAMQAwADUAMgAzADcAOQAxADUANAA_AGwAcwA9ADEAJgBtAHQAPQA4AA..&URL=https://itunes.apple.com/us/app/animatic-by-inkboard/id1052379154?ls=1&mt=8", "https://2001.dwlww.com/static/js/chunk-vendors.9d7684f4.js", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "registry-commander.exe", "https://app.ynsdty.cn/dist/js/longbow.slidercaptcha.js", "https://2001.dwlww.com/static/js/app.9d5d18d7.js", "https://www.sunnetwork.com.sg/sun_21/js/ajax-form.js", "Yara Detection: Nullsoft_NSIS", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "http://g.alicdn.com/assets-group/croco/0.0.8/index.js", "https://app.ynsdty.cn/dist/js/jquery.cookie.js", "https://www.8098.app:21568/?agent=7691755704", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "https://www.sunnetwork.com.sg/sun_21/js/bootstrap.min.js", "https://2001.habyc.com/static/css/app.88afcfd8.css", "https://mind.1688.com/wap/wapsy/dke4eosa0/index.html?no_cache=true&pageId=1150842&cms_id=1150842&src=desktop", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "https://2001.dwlww.com/static/css/app.88afcfd8.css", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "https://www.sunnetwork.com.sg/sun_21/js/main.js", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "https://2001.habyc.com/?channelNo=2001#/home", "Stack pivoting was detected when using a critical API", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://www.tabxexplorer.com [phishing]", "irr.blizzard.com. 24.105.29.24", "https://2001.habyc.com/static/js/chunk-vendors.9d7684f4.js", "https://www.sunnetwork.com.sg/sun_21/js/vendor/jquery-3.5.0.min.js", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "https://hybrid-analysis.com/sample/e22d8ea5dc8732defed6c17b4bec3fbdf092aa86df4f4b80c768037fd59397ac/626bc2368590ef23a25053b4", "https://www.8098.app:21568/js/xinstall_inner_e.min.js?v=1004", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "history.ie", "https://m4244.com:35003/", "https://sdk.51.la/event/js-sdk-event.min.js?u=JdoUNv3VSW0GHUpw", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "cdn.easykeys.com", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "https://mind.1688.com/zsh/zsh/d9my57ugj/index.html", "File: 2373aaec6f38bb129aab12741f2d8be237e0629db1f50206bae0ebefd959815a", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "identity_helper.exe", "https://hybrid-analysis.com/sample/0046d22f2c6d0d3805d3ac393a5e9a6d22fbdf4c536accc953c0ad6016180e2f/626bcef6f5f0f643c216c84c", "www.moxa.com", "https://hybrid-analysis.com/sample/95121783365a25ff1016eb630deaf5ee50456295161604553fb27ac30b5f1cfe/626bce701d2fd7781b6f8653", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/iocs", "xfe-URL-Alijk.com-stix2-2.1-export.json", "http://i.alicdn.com/", "xfe-URL-sun.net.hk-stix2-2.1-export.json", "https://page.1688.com/shtml/static/wrongpage.html", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "https://www.virustotal.com/graph/g909fda2b00874cfcac059078fd24495c5ac4a8b219cd4b8fb8108b19dab31ad8", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "hive21.ctcsoftware.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com", "http://polyfill.alicdn.com/", "Registry: Read - DisableUserModeCallbackFilter", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "xfe-URL-1688.com-stix2-2.1-export.json", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "https://app.ynsdty.cn/dist/js/app.base.js", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "https://2001.habyc.com/static/js/chunk-7d5d3bac.efb700c7.js", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "password-recovery-tools-2012-professional-trial.exe", "74.203.211.12:1433", "https://www.sunnetwork.com.sg/sun_21/js/imagesloaded.pkgd.min.js", "ns3.hallgrandsale.ru", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "https://mediacherry.space/vn/vb/wheel/?key=eyJ0aW1lc3RhbXAiOiIxNzA0ODcwMzc2IiwiaGFzaCI6ImI5OWQ3ODQ3NTIyMDA5NTBmNmRiODY1NmUxNWY5YWMyZTc3MGExMTcifQ==&ccc=VN&ppp=PropellerAds:Popunder&tdom=www.a1000.online&zoneid=6534225&bemobdata=c=2f8cb72d-d2e6-4570-b258-aeb3acc53b24..l=6d25aa09-cccc-4797-aef4-7aa11d1e0dcb..a=0..b=0..z=0.000035..e=768844675632074752..c1=6534225..c2=7541054..c3=VN..c4=wireless..c5=viettel_mobile-vn..c6=other..c7=chrome..c8=27..c9=viettelcorporation..c10=Mozilla/5~BEMOB_DOT~0(Linux;Android10;K", "Game-Version-Update.exe", "https://app.ynsdty.cn/dist/js/jquery.min.js", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://www.anyxxxtube.net/media/favicon/apple", "https://gw.alipayobjects.com/os/lib/lozad/1.16.0/dist/lozad.min.js", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://2001.habyc.com/static/css/chunk-7d5d3bac.e1a32335.css", "http://www.tabxexplorer.com/lenovo", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "https://2001.dwlww.com/?channelNo=2001#/home", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://www.virustotal.com/graph/embed/g8c4e1b9704cb478f92c4fbb255016abe5beee3a86be54a118c68677c8976dcf7?theme=dark", "xfe-IP-47.89.52.178-stix2-2.1-export.json", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d", "https://2001.habyc.com/js/config.js", "https://chatting.page/kv6vcosd7tmhsetmarsoawzaglejnny4", "https://sdk.51.la/js-sdk-pro.min.js", "Yara ruleset match: Windows_API_Function by InQuest Labs", "https://app.ynsdty.cn/dist/vendors/core-js/core.js", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "https://app.ynsdty.cn//package/GmCC6WISh", "https://www.tidio.com/talk/kv6vcosd7tmhsetmarsoawzaglejnny4", "https://app.ynsdty.cn/dist/vendors/swiper/swiper.min.js", "IDS Detections: Cobalt Strike Malleable C2 JQuery" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "#lowfi:hstr:autoititv3modguidmark", "Win32:agent-aoks\\ [trj]", "Win.malware.generickdz-9938530-0", "Alf:trojandownloader:win32/vadokrist.a", "Win32.renos/artro", "Hacktool:win32/atosev.a", "Artro", "Trojan.onlinegames/aoks", "Trojan:win32/bho.cv", "Cobalt strike", "Hacktool:win32/cobaltstrike.a", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojan:win32/zombie.a", "Alf:trojan:msil/agenttesla.km", "Win.trojan.generic-9957168-0", "Win32:crypterx-gen\\ [trj]", "Win.trojan.knigsfot-125", "Trojanspy:win32/nivdort.de", "Win.trojan.generic-9897526-0", "Alf:win32/gbdinf_305b1c9a.j!ibt", "Formbook", "Hacktool", "Alf:heraklezeval:trojan:win32/neurevt", "!autoit_3_00_third_party", "Trojan:win32/zusy", "Crack_unhackme_sigma.rar", "Sabey", "Trojanspy", "Generic", "Darkcomet", "Tulach", "Win.adware.relevantknowledge-9821121-0", "Hallrender", "Worm:win32/benjamin", "Win.malware.autoit-7732194-0", "Win.trojan.bho-136", "Win.malware.generickdz-9982080-0", "I-worm/bagle.qe", "Other:malware-gen\\ [trj]", "Worm.bagle-44" ], "industries": [ "", "Telecommunications", "Technology", "Civil society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "66e846796e72bee6be87c110", "name": "C:\\Program Files\\Microsoft Office\\root\\", "description": "C:\\Program Files\\Microsoft Office\\root\\\n\nIocs sampled from the directory: C:\\Program Files\\Microsoft Office\\root\\ (from an infected windows 11 sample PC)\nNot complete, will expand upon it later.\nUnder C:\\Program Files\\Microsoft Office there is...\n4x File Folders, 3x Edge HTML Docs", "modified": "2024-10-16T19:04:17.209000", "created": "2024-09-16T14:53:45.370000", "tags": [ "entity", "please", "javascript", "clientid", "platformwin32", "buildship", "architecturex86", "osbuild7601", "channeldcwin7", "installtypec2r", "sessionid" ], "references": [ "https://www.virustotal.com/graph/embed/g8c4e1b9704cb478f92c4fbb255016abe5beee3a86be54a118c68677c8976dcf7?theme=dark", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/iocs", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 3981, "URL": 685, "domain": 476, "hostname": 748 }, "indicator_count": 6178, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eff46bdd371899ca5be7d7", "name": "CrypterX-gen | Video-lal.com | M. Brian Sabey \u2022 Hall Render | Rexxfield", "description": "Videolal results. Parked. Owner of domain has subsidiaries including Huge Domains. It's possible for attacker to post a 404 error page, park, post it for sale, malvertize. HoneyPotBot? \n\nFireeye. A bit much. william.ballenthin@fireeye.com\t\ncontain a resource (.rsrc) section moritz.raabe@fireeye.com. Overkill. What would Scooby Doo? Scooby!? \nTarget reports opening her MacBook Pro after it was replaced by Apple. It hadn't been in use. She opened it, surprised it was on, automatically connected to a store wifi (she was home) A worker was typing away in terminal. Fought hacker for recordings app containing Jeffrey Reimers aggressions. She lost. Terrified she murdered her MacBook by drowning & dismemberment. Big mistake. Cloned MacBook. Clicked on links trigger malicious downloads, network & DNS issues.", "modified": "2024-04-11T04:01:24.166000", "created": "2024-03-12T06:21:31.484000", "tags": [ "upatre malware", "rwi dtools", "page dow", "security", "bitfender", "yandex", "malware", "all octoseek", "av detections", "ids detections", "yara detections", "alerts", "file score", "fireeye", "injection", "worm", "trojan", "network", "poster", "honeybots", "united", "unknown", "win32upatre mar", "passive dns", "entries", "ipv4", "body", "artro", "generic malware", "formbook", "tag count", "threat report", "ip summary", "url summary", "generic", "hostnames", "pattern match", "ascii text", "png image", "root ca", "file", "authority", "indicator", "mitre att", "ck id", "class", "date", "enterprise", "hybrid", "accept", "general", "local", "click", "strings", "trident", "as47846", "germany unknown", "as2906 netflix", "scan endpoints", "domain", "urls", "files", "trojanspy", "mozilla", "dynamicloader", "medium", "title", "ms windows", "head", "intel", "inetsim http", "delete c", "show", "winnt", "copy", "powershell", "write", "next", "suspicious", "shop", "graph api", "status", "join", "vt community", "api key", "xcitium verdict", "cloud", "contacted", "contacted urls", "ssl certificate", "referrer", "historical ssl", "parent domain", "apple ios", "resolutions", "execution", "hacktool", "outbound connection", "detection list", "blacklist" ], "references": [ "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Win32.Renos/Artro", "display_name": "Win32.Renos/Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "I-Worm/Bagle.QE", "display_name": "I-Worm/Bagle.QE", "target": null }, { "id": "Worm.Bagle-44", "display_name": "Worm.Bagle-44", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "Win.Trojan.Generic-9897526-0", "display_name": "Win.Trojan.Generic-9897526-0", "target": null }, { "id": "Win.Trojan.Knigsfot-125", "display_name": "Win.Trojan.Knigsfot-125", "target": null }, { "id": "ALF:TrojanDownloader:Win32/Vadokrist.A", "display_name": "ALF:TrojanDownloader:Win32/Vadokrist.A", "target": null }, { "id": "Win.Trojan.Generic-9957168-0", "display_name": "Win.Trojan.Generic-9957168-0", "target": null }, { "id": "Win.Adware.RelevantKnowledge-9821121-0", "display_name": "Win.Adware.RelevantKnowledge-9821121-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "display_name": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1622, "FileHash-SHA1": 934, "FileHash-SHA256": 3289, "URL": 9605, "domain": 2321, "hostname": 2411, "CVE": 1, "email": 3 }, "indicator_count": 20186, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e3d1a94659d50264a78fd4", "name": "Phishing | TabExplorer attacks compromised networks and devices", "description": "", "modified": "2024-04-02T01:01:20.068000", "created": "2024-03-03T01:26:01.043000", "tags": [ "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "suricata udpv4", "date", "united", "windows nt", "win64", "hybrid", "general", "click", "strings", "contact", "url http", "url https", "scan endpoints", "all octoseek", "report spam", "hour ago", "whois record", "glasgow", "scan", "iocs", "next", "filehashsha256", "filehashmd5", "filehashsha1", "ipv4", "contacted", "execution", "pe resource", "communicating", "urls http", "referrer", "resolutions", "whois whois", "collections ip", "phishing", "attack", "loaded module", "remote procedure call", "search", "as15133 verizon", "passive dns", "urls", "creation date", "record value", "showing", "unknown", "as8075", "as15169 google", "as8068", "aaaa", "cname", "a domains", "meta", "entries", "gmt server", "ecacc saa83dd", "cobalt strike", "mozilla", "body", "brian sabey", "hallrender", "dynamicloader", "show", "alerts", "trojan", "copy", "dynamic", "medium", "reads", "write", "stealth network", "stealth_network", "script urls", "certificate", "rsa sha256", "exports data", "high", "yara rule", "yara detections", "njrat", "cape", "njrat malware", "sniffs", "guard", "write c", "delete c", "ms windows", "default", "intel", "openpgp public", "stream", "antivm_generic_disk", "antivm_generic_bios", "network_bind", "stealth_file spawns_dev_utility", "procmem_yara", "enumerates_physical_drives", "persistence_ads", "dynamic_function_loading", "reads_self", "suspicious_command_tools", "network", "rat" ], "references": [ "http://www.tabxexplorer.com [phishing]", "http://www.tabxexplorer.com/lenovo", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "identity_helper.exe", "cdn.easykeys.com", "hive21.ctcsoftware.com", "www.moxa.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Tulach Malware: 114.114.114.114", "ns3.hallgrandsale.ru", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Yara Detection: Nullsoft_NSIS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "HackTool:Win32/Atosev.A", "display_name": "HackTool:Win32/Atosev.A", "target": "/malware/HackTool:Win32/Atosev.A" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Win.Malware.Generickdz-9938530-0", "display_name": "Win.Malware.Generickdz-9938530-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5551, "hostname": 1690, "domain": 929, "FileHash-SHA256": 2696, "FileHash-MD5": 405, "FileHash-SHA1": 315, "email": 4, "SSLCertFingerprint": 1 }, "indicator_count": 11591, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "790 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e24b157718e7ddf71765db", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:33.521000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e24b1cd80668c22e7e1c7a", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:40.078000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a2418a73d5d36efff0b0f7", "name": "Lotus -Game-Version-Update.exe | trojan.onlinegames/aoks", "description": "Potentially downloads with other malware. Remote. Downloads installer. Alerts victim of a compromise, (through an update)attempts to have user purchases fix.", "modified": "2024-02-12T06:00:23.986000", "created": "2024-01-13T07:53:46.481000", "tags": [ "langchinese", "rtcursor", "rtgroupcursor", "lotus", "regsetvalueexa", "write", "search", "regdword", "create c", "read c", "trojan", "copy", "win32", "malware", "agent", "unknown", "next", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "gameid0 http", "please", "xport", "malware infection", "default", "crlf line", "unicode", "showing", "show", "medium", "compiler", "submission", "vhash", "imphash", "rich pe", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "simplified", "sections", "sha256 file", "type type", "chi2", "vs2003", "highlights", "file", "file version", "description", "original", "internal name", "version", "portable", "info compiler", "products", "whois record", "contacted", "pe resource", "whois whois", "historical ssl", "ssl certificate", "resolutions", "subdomains", "referrer", "pippidxsd", "execution", "stealer", "benjamin", "worm", "rar", "pe", "pexee", "crack", "remote", "download", "registrar abuse", "date", "redacted for", "server", "letshost", "domain status", "registry tech", "registrar whois", "contact email", "registry domain", "code", "service", "algorithm", "first", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "win32 dll", "ace utilities", "unhackme", "type name", "wextract", "total commander", "powerpack", "windows doctor", "tagwrapcore", "communicating", "51260032", "61760164", "bundled", "scam", "password", "fraud services", "cybercrime" ], "references": [ "Game-Version-Update.exe", "File: 2373aaec6f38bb129aab12741f2d8be237e0629db1f50206bae0ebefd959815a", "history.ie", "Yara ruleset match: Windows_API_Function by InQuest Labs", "registry-commander.exe", "password-recovery-tools-2012-professional-trial.exe", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [how could this be in everything!?]", "https://www.anyxxxtube.net/media/favicon/apple", "https://mail.greycroft.com/owa/redir.aspx?SURL=zRgJdPcEmzMcui5aPZuMhrMWFaQp7UWJt7B48ki50f3tl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwBpAHQAdQBuAGUAcwAuAGEAcABwAGwAZQAuAGMAbwBtAC8AdQBzAC8AYQBwAHAALwBhAG4AaQBtAGEAdABpAGMALQBiAHkALQBpAG4AawBiAG8AYQByAGQALwBpAGQAMQAwADUAMgAzADcAOQAxADUANAA_AGwAcwA9ADEAJgBtAHQAPQA4AA..&URL=https://itunes.apple.com/us/app/animatic-by-inkboard/id1052379154?ls=1&mt=8", "https://mediacherry.space/vn/vb/wheel/?key=eyJ0aW1lc3RhbXAiOiIxNzA0ODcwMzc2IiwiaGFzaCI6ImI5OWQ3ODQ3NTIyMDA5NTBmNmRiODY1NmUxNWY5YWMyZTc3MGExMTcifQ==&ccc=VN&ppp=PropellerAds:Popunder&tdom=www.a1000.online&zoneid=6534225&bemobdata=c=2f8cb72d-d2e6-4570-b258-aeb3acc53b24..l=6d25aa09-cccc-4797-aef4-7aa11d1e0dcb..a=0..b=0..z=0.000035..e=768844675632074752..c1=6534225..c2=7541054..c3=VN..c4=wireless..c5=viettel_mobile-vn..c6=other..c7=chrome..c8=27..c9=viettelcorporation..c10=Mozilla/5~BEMOB_DOT~0(Linux;Android10;K", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:Agent-AOKS\\ [Trj]", "display_name": "Win32:Agent-AOKS\\ [Trj]", "target": null }, { "id": "Win.Trojan.Bho-136", "display_name": "Win.Trojan.Bho-136", "target": null }, { "id": "Trojan:Win32/BHO.CV", "display_name": "Trojan:Win32/BHO.CV", "target": "/malware/Trojan:Win32/BHO.CV" }, { "id": "trojan.onlinegames/aoks", "display_name": "trojan.onlinegames/aoks", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "CRACK_UnHackMe_sigma.rar", "display_name": "CRACK_UnHackMe_sigma.rar", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 679, "FileHash-SHA1": 630, "FileHash-SHA256": 4958, "URL": 4966, "domain": 437, "hostname": 1429, "email": 1 }, "indicator_count": 13100, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "840 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e254b734f1efd8bd0ad", "name": "1688.com .. 404-\u963f\u91cc\u5df4\u5df4", "description": "", "modified": "2023-12-06T15:07:17.380000", "created": "2023-12-06T15:07:17.380000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1645, "URL": 8598, "domain": 1004, "hostname": 2066, "FileHash-MD5": 3 }, "indicator_count": 13316, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708cee75cb524822443805", "name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120", "description": "", "modified": "2023-12-06T15:02:05.972000", "created": "2023-12-06T15:02:05.972000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6174, "FileHash-SHA256": 1762, "domain": 693, "email": 2, "hostname": 1343, "FileHash-MD5": 115, "FileHash-SHA1": 107, "CVE": 2 }, "indicator_count": 10198, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c37c54dd9e78f85c0fa", "name": "\u7ea2\u674f\u89c6\u9891 malware", "description": "", "modified": "2023-12-06T14:59:03.859000", "created": "2023-12-06T14:59:03.859000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "hostname": 2218, "URL": 5740, "domain": 901, "FileHash-MD5": 3 }, "indicator_count": 10548, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6280921bfbaf2aace62511f1", "name": "1688.com .. 404-\u963f\u91cc\u5df4\u5df4", "description": "Alibaba", "modified": "2022-06-14T00:00:05.659000", "created": "2022-05-15T05:39:39.040000", "tags": [ "typeerror", "object", "typeof t", "symbol", "typeof e", "typeof self", "webpackrequire", "typeof n", "json", "math", "body", "copyright", "apoorv saxena", "typeof", "typeof define", "detect ie", "typeof document", "substring", "\u963f\u91cc\u5df4\u5df4\uff0c1688\uff0c\u5fae\u5546\uff0c\u5fae\u5e97\uff0c\u8d27\u6e90\uff0c\u5973\u88c5\u6279\u53d1\uff0c\u7537\u88c5\uff0cb2b\uff0c\u6279\u53d1\uff0c\u91c7\u8d2d", "typeof symbol", "promise", "error", "date", "createclass", "array", "this", "typeof lib", "null", "mozilla", "regexp", "typeof require", "xmlhttprequest", "license", "xdomainrequest", "aplusscore", "s1e4", "cfunction", "html5", "span", "button", "android", "jupdate", "void", "webview", "kraken", "nundefined", "xfunction", "zfunction", "chrome", "xuexi", "nullj", "area", "mtopwvplugin", "activexobject", "post", "options", "function", "head", "delete", "false", "trace", "patch", "unknown", "alipay", "ff6a00", "opacity100", "opacity0", "f2f3f7", "e6e7eb", "f7f8fa", "helvetica neue", "helvetica", "tahoma", "arial", "\u963f\u91cc\u5df4\u5df4\uff0c\u91c7\u8d2d\u6279\u53d1\uff0c1688\uff0c\u884c\u4e1a\u95e8\u6237\uff0c\u7f51\u4e0a\u8d38\u6613\uff0cb2b\uff0c\u7535\u5b50\u5546\u52a1\uff0c\u5185\u8d38\uff0c\u5916\u8d38\uff0c\u6279\u53d1\uff0c\u884c\u4e1a\u8d44\u8baf\uff0c\u7f51\u4e0a\u8d38\u6613\uff0c\u7f51\u4e0a\u4ea4\u6613\uff0c\u4ea4\u6613\u5e02\u573a\uff0c\u5728", "1688", "1000", "yunos", "lazada", "http response", "gmt contenttype", "vary" ], "references": [ "xfe-URL-1688.com-stix2-2.1-export.json", "xfe-IP-47.89.52.178-stix2-2.1-export.json", "https://page.1688.com/shtml/static/wrongpage.html", "http://polyfill.alicdn.com/", "xfe-URL-Alijk.com-stix2-2.1-export.json", "http://i.alicdn.com/", "http://is.alicdn.com/", "http://1688.com/", "https://mind.1688.com/wap/wapsy/dke4eosa0/index.html?no_cache=true&pageId=1150842&cms_id=1150842&src=desktop", "xfe-URL-mind.1688.com-stix2-2.1-export.json", "https://g.alicdn.com/secdev/sufei_data/3.9.9/index.js", "https://g.alicdn.com/alilog/mlog/aplus_wap.js", "https://mind.1688.com/zsh/zsh/d9my57ugj/index.html", "https://gw.alipayobjects.com/os/lib/lozad/1.16.0/dist/lozad.min.js", "http://g.alicdn.com/assets-group/croco/0.0.8/index.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8598, "hostname": 2066, "domain": 1004, "FileHash-SHA256": 1645, "FileHash-MD5": 3 }, "indicator_count": 13316, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "downname.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "downname.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780346055.579115 }