{ "type": "Domain", "indicator": "driverupdater.software", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/driverupdater.software", "alexa": "http://www.alexa.com/siteinfo/driverupdater.software", "indicator": "driverupdater.software", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2788796508, "indicator": "driverupdater.software", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c2a296d3cea258c9f1c2ad", "name": "Malicious Sites, PUPs, Malware, Brower Hijackers, Phishing Sites", "description": "", "modified": "2022-07-04T08:19:34.791000", "created": "2022-07-04T08:19:34.791000", "tags": [ "malware", "info", "pups", "phishing sites", "am cst", "shadowwhisperer", "curl", "wget" ], "references": [ "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 47, "domain": 34626, "hostname": 19 }, "indicator_count": 34702, "is_author": false, "is_subscribing": null, "subscriber_count": 872, "modified_text": "1385 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "http://sexkompas.xyz", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "dev-app.project-cicada.com \u2022 project-cicada.com", "https://goo.gl/9p2vKq", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "IDS Detections Gh0stCringe CnC Activity M2", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "api.acumatica.flex.redteam.com", "PEXE - DOS executable (COM)", "tracking2youdu.com , cdn.livechatinc.com", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Found in: https://jbplegal.com", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)" ], "malware_families": [ "Alf:heraklezeval:trojan:win32/clipbanker", "Win32:malob-bx", "Win32:injector-cvf\\ [trj]\t\twin.mal", "Win32:malware-gen", "Win32:pwsx-gen", "Et", "Trojandownloader:win32/cutwail.bs", "Win.trojan.gh0strat-9955419-1", "Trojan:win32/glupteba.mt!mtb", "Trojandropper:win32/vb.il", "Virtool:win32/obfuscator.k", "Win.malware.vtflooder-6260355-1", "Etpro", "Ransom:win32/crowti.a", "Cymt", "Win.trojan.agent", "Win.trojan.buzus-5453", "Doc.downloader.emotetred02220-9938909-0", "Trojandownloader:win32/upatre.aa" ], "industries": [ "Legal", "Healthcare", "Civil society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c2a296d3cea258c9f1c2ad", "name": "Malicious Sites, PUPs, Malware, Brower Hijackers, Phishing Sites", "description": "", "modified": "2022-07-04T08:19:34.791000", "created": "2022-07-04T08:19:34.791000", "tags": [ "malware", "info", "pups", "phishing sites", "am cst", "shadowwhisperer", "curl", "wget" ], "references": [ "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 47, "domain": 34626, "hostname": 19 }, "indicator_count": 34702, "is_author": false, "is_subscribing": null, "subscriber_count": 872, "modified_text": "1385 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "driverupdater.software", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "driverupdater.software", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776611882.02637 }