{ "type": "Domain", "indicator": "edgecloudc.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/edgecloudc.com", "alexa": "http://www.alexa.com/siteinfo/edgecloudc.com", "indicator": "edgecloudc.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2649043017, "indicator": "edgecloudc.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "9 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "9 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a956460f257cf96c454071", "name": "Piracy \u2022 Cloudfront \u2022 Ransom \u2022 Code Overlaps \u2022 Unrelenting attacks.", "description": "Indie songwriter , publisher, promoter, producer & her artists affected by years long copyright infringement , hacking & reputation damage. Website now downed.\n\nBrashears had been involved in music under pseudonyms for decades as a was songwriter , ghostwriter, sold catalogs , charting singles, chops was sponsored. In this instance music was grossly pirated. Initially asked for hook rights then told hook would be used without her permission. Believed dispute resolved verbally + copyright.\n\nTsara learned from an insider/s her hook was pirated & used by artists listed. Modifications make songs pirated samples.\nBrashears song written in 2010 later vaulted in a private catalog later released by her artist. YouTube audio quality tampering on pirated song. \n\nBrashears loved music, not the industry as an artist; preferring business. Always held her privacy to remain unknown. Tsara lived 10 lives at once.\n\nLikely involves male who contacted her @ by email as mentioned in earlier pulse.\n#trulymissed", "modified": "2025-09-21T21:03:28.771000", "created": "2025-08-23T05:48:54.534000", "tags": [ "domains", "hashes", "passive dns", "urls", "url add", "http", "hostname", "files domain", "files related", "related tags", "a domains", "entries", "next associated", "files show", "date hash", "avast avg", "trojanspy", "entries http", "scans show", "search", "body", "body doctype", "dynamicloader", "medium", "reg add", "regsz d", "high", "windows", "audio drivers", "write c", "virtool", "copy", "write", "june", "united", "unknown ns", "samsara", "new york", "city ny", "ip address", "record value", "meta", "date", "music", "encrypt", "win32", "dangeroussig", "lowfi", "msie", "chrome", "precondition", "trojan", "title", "canada unknown", "unknown cname", "domain add", "files", "location united", "hostname add", "verdict", "domain", "files ip", "address", "asn as13335", "hash avast", "avg clamav", "msdefender feb", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "file", "size", "ascii text", "pattern match", "august", "hybrid", "general", "path", "click", "strings", "roboto", "mozilla", "contact", "t1179 hooking", "installs", "t1035 service", "crlf line", "runtime process", "malicious", "unknown", "ssl certificate", "defense evasion", "amazon02", "americachicago", "windows nt", "win64", "khtml", "gecko", "veryhigh", "found", "geo menifee", "california", "as30148", "us note", "route", "ptr record", "information", "t1053", "taskjob", "t1055", "injection", "t1082", "t1112", "modify registry", "t1119", "t1129", "service", "capture", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "showing", "ipv6", "ipv4", "dicator role", "title added", "active related", "sweden", "netherlands", "scan", "iocs", "learn more", "types of", "kingdom", "united kingdom", "denmark", "icator role", "malware attacks", "find encrypted", "t1021", "remote", "t1068", "ta0043", "t1016", "discovery", "t1221", "nobody love", "tori", "kelley", "dj khaled", "justin bieber", "sophos video", "x rack", "x frame", "october", "songculture", "song culture", "tsara brashears", "jess 4", "queryfoundry", "beyond sampling", "pirated", "youtube", "spotify", "twitter", "spy", "tracking" ], "references": [ "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "8-25-220-162-static.reverse.queryfoundry.net", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "I apologize if you don\u2019t like my background stories", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nivdort", "display_name": "Nivdort", "target": null }, { "id": "Virtool", "display_name": "Virtool", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Trojanspy", "display_name": "Trojanspy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Malware Gen", "display_name": "Malware Gen", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Media", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1833, "hostname": 902, "domain": 386, "FileHash-MD5": 406, "FileHash-SHA1": 402, "FileHash-SHA256": 1437, "email": 2, "SSLCertFingerprint": 5, "CIDR": 2 }, "indicator_count": 5375, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "210 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688ed5eca930bccd0aec22be", "name": "Foundry.matav.hu - Ransom & SpyVoltar", "description": "", "modified": "2025-09-02T02:05:01.867000", "created": "2025-08-03T03:22:20.760000", "tags": [ "meta", "status", "united", "song culture", "search", "link", "script script", "home page", "denver colorado", "ip address", "date", "encrypt", "body", "a domains", "bandzoogle", "work website", "builder", "passive dns", "trojanspy", "ransom", "win32heim feb", "entries", "next associated", "site", "server", "gmt contenttype", "twitter", "gandi sas", "hostname add", "pulse submit", "url analysis", "urls", "files", "domain", "all hostname", "verdict", "files ip", "address", "moved", "showing", "south korea", "error oct", "present oct", "present dec", "canada showing", "urls show", "date checked", "url hostname", "server response", "present jun", "present apr", "hungary", "present jan", "present jul", "present feb", "present nov", "present mar", "all ipv4", "reverse dns", "location canada", "montreal", "canada asn", "present aug", "name servers", "creation date", "expiration date", "show", "hostname", "data upload", "extraction", "autofill pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "defense evasion", "development att", "heart internet", "registrar", "extend", "http version", "get na", "sinkhole cookie", "module load", "t1129", "service", "create c", "malware", "copy", "possible", "write", "win32", "nivdort", "etpro trojan", "alphacrypt cnc", "beacon", "windows nt", "wow64", "touch", "medium", "gecko http", "read c", "unknown", "virustotal", "trojan", "mcafee", "vipre", "drweb", "panda", "next", "yara detections", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": "688ed51290c84cbaec011d53", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2131, "domain": 805, "FileHash-MD5": 269, "FileHash-SHA1": 158, "FileHash-SHA256": 1153, "hostname": 919, "email": 6 }, "indicator_count": 5441, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688ed51290c84cbaec011d53", "name": "Indie Music Artists Website-Win32/SpyVoltar.A Checkin 2", "description": "* Music Artists Website-Win32/SpyVoltar.A Checkin 2 * ransom:Win32/Haperlock.A highjacked SongCulture.com and her Bank Account. Ongoing.\nVery malicious espionage. Had been running Tsars Brashears website after canceling her Bank account via hacking. A South African calle center Brashears was told did not exist were the call center for AllState , Esurance (Now NGIC?) and T-mobile. Have not paid her losses including daughter\u2019s stolen SUV!! \n#espionage #ransom", "modified": "2025-09-02T02:05:01.867000", "created": "2025-08-03T03:18:42.264000", "tags": [ "meta", "status", "united", "song culture", "search", "link", "script script", "home page", "denver colorado", "ip address", "date", "encrypt", "body", "a domains", "bandzoogle", "work website", "builder", "passive dns", "trojanspy", "ransom", "win32heim feb", "entries", "next associated", "site", "server", "gmt contenttype", "twitter", "gandi sas", "hostname add", "pulse submit", "url analysis", "urls", "files", "domain", "all hostname", "verdict", "files ip", "address", "moved", "showing", "south korea", "error oct", "present oct", "present dec", "canada showing", "urls show", "date checked", "url hostname", "server response", "present jun", "present apr", "hungary", "present jan", "present jul", "present feb", "present nov", "present mar", "all ipv4", "reverse dns", "location canada", "montreal", "canada asn", "present aug", "name servers", "creation date", "expiration date", "show", "hostname", "data upload", "extraction", "autofill pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "defense evasion", "development att", "heart internet", "registrar", "extend", "http version", "get na", "sinkhole cookie", "module load", "t1129", "service", "create c", "malware", "copy", "possible", "write", "win32", "nivdort", "etpro trojan", "alphacrypt cnc", "beacon", "windows nt", "wow64", "touch", "medium", "gecko http", "read c", "unknown", "virustotal", "trojan", "mcafee", "vipre", "drweb", "panda", "next", "yara detections", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2131, "domain": 805, "FileHash-MD5": 269, "FileHash-SHA1": 158, "FileHash-SHA256": 1153, "hostname": 919, "email": 6 }, "indicator_count": 5441, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7aa9d0ec86cff5b95b64", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-09-12T14:01:56.106000", "created": "2024-08-13T15:24:25.284000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c5dc9fa0c2264bdbb7d146", "name": "www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/ ", "description": "", "modified": "2024-08-21T12:25:03.593000", "created": "2024-08-21T12:25:03.593000", "tags": [ "cisco umbrella", "site", "malware", "alexa top", "team top", "million", "heur", "safe site", "malicious site", "phishing site", "artemis", "alexa", "agent", "xtrat", "iframe", "downldr", "presenoker", "riskware", "unsafe", "zbot", "crypt", "team", "emailworm", "blacknet rat", "stealer", "blacklist https", "name verdict", "no data", "tag count", "tld count", "count blacklist", "tag tag", "tld tld", "pattern match", "jpeg image", "jfif standard", "file", "windows nt", "ascii text", "et tor", "known tor", "relayrouter", "exit", "date", "unknown", "general", "hybrid", "click", "strings", "class", "generator", "critical", "error", "detection list", "https", "http", "urls", "maltiverse", "html", "bank", "phishing", "download", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "exploit", "crack", "generic", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "node tcp", "traffic", "tor known", "tor relayrouter", "united", "spammer", "execution", "whois record", "apple ios", "pe resource", "ssl certificate", "apple private", "data collection", "apeaksoft ios", "privilege", "contacted", "hacktool", "startpage", "banker", "keylogger" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "655af3b210e8f57cabaa0656", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 125, "FileHash-SHA256": 3615, "domain": 2058, "hostname": 3773, "CVE": 15, "URL": 10672, "email": 1 }, "indicator_count": 20417, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "606 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2024-07-16T20:30:56.084000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1325, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 283, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5828f8217ecbe6ce3a89b", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:29:19.302000", "created": "2024-03-16T11:29:19.302000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "764 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5827a4e23b095e5af5f44", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:28:58.984000", "created": "2024-03-16T11:28:58.984000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "764 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f582700d35b0e7c8dd9df8", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:28:48.062000", "created": "2024-03-16T11:28:48.062000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "764 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5823b9d7bc6b422256296", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:27:55.808000", "created": "2024-03-16T11:27:55.808000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "764 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "767 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aab9d7a0b4116f622b0aa0", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-19T18:05:11.592000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": "65a8720daa2d0263a2b1de88", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a8720daa2d0263a2b1de88", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "Already deeply compromised individuals more at risk of elaborate phone call interception/redirect/transfer from legitimate services. Many different schemes are used to access and nullify victims identity, involves ssn#, bank account information, email exchange text messaging, PDF exchange, Spam sent to all known accounts, password reset, request for ID upload to verify (steal) identity, extensive holds while trying to 'help' you, unannounced credit check ID theft. Ransomware, Linux attack, Botnetwork behavior. Active threat. Linux/Mumblehard backdoor/botnet", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-18T00:34:21.136000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659c88827d014b8ac6738dae", "name": "STRIVEN.COM | Remote videos to my device | Disabled WiFi or Bluetooth | Malicious ", "description": "", "modified": "2024-02-07T23:03:25.817000", "created": "2024-01-08T23:42:58.409000", "tags": [ "as21690", "united", "unknown", "search", "entries", "creation date", "scan endpoints", "all search", "otx octoseek", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d65255c80d866add600bac", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1448, "hostname": 3973, "email": 2, "URL": 10456, "FileHash-SHA256": 3308, "FileHash-MD5": 354, "FileHash-SHA1": 350, "CVE": 2 }, "indicator_count": 19893, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a971ab44409ecb7018428", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:54.823000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a9718ac97804d782cc16b", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:52.614000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6569984495dfed1b14e29217", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "Active iCloud monitoring by third party. Active cyber threat.\nFound in link on iOS device: p155-fmfmobile.icloud.com\nFraud services. No data, service, or legitimate carrier", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-01T08:24:36.293000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6564fa9a3d90d1cd14928b16", "name": "Lumma \u2022 University of Alberta \"No Problems\" | T1036 - Masquerading", "description": "I was contacted on this forum re: University of Alberta issue. Based on research www.ualberta.ca redirects. There hasn't been a research effort for redirect. I researched a spoofed website. After viewing senders request, my devices operating system changed, isn't recognized by any accounts, keyloggers.\nFound: Anonymizers, Redirector, Masquerading, Network RAT, Serious Social Engineering, Botnetwork Army, Stealers, Lumma and weirdly targeted 'Tsara Brashears' as a malicious link on a spoofed University in Canada, UCHealth Colorado links.", "modified": "2023-12-27T19:03:02.665000", "created": "2023-11-27T20:22:50.050000", "tags": [ "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json url", "urls", "detection list", "cisco umbrella", "site", "heur", "safe site", "alexa top", "million", "malware", "malicious site", "phishing site", "malicious url", "phishing", "riskware", "presenoker", "artemis", "agent", "unsafe", "opencandy", "ursnif", "wacatac", "team", "facebook", "runescape", "service", "downldr", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "installcore", "fareit", "secrisk", "exploit", "mimikatz", "sorano", "emotet", "genkryptik", "fuery", "dbatloader", "qakbot", "alexa", "malicious", "union", "lumma stealer", "fusioncore", "cleaner", "azorult", "bank", "blacknet rat", "stealer", "iframe", "trojanspy", "analysis", "united", "firehol", "proxy", "mail spammer", "downloader", "malware site", "meterpreter", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "generic", "dnspionage", "expirestue", "path", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "alberta", "university", "edmonton", "html info", "alberta meta", "tags", "trackers google", "tag manager", "gtmkr32", "blacklist", "low risk", "apache", "domain", "malware found", "unknown", "minimal low", "security risk", "medium high", "critical", "protect", "college", "mtis", "faculties", "research", "health", "a about", "news", "events", "sport", "life", "find", "story", "tools", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "pattern match", "file", "date", "factory", "hybrid", "general", "cookie", "click", "strings", "djin", "no data", "tag count", "sample", "samples", "netsky", "cobalt strike", "xrat", "fakealert", "raccoon", "redline stealer", "metastealer", "icedid", "quasar rat", "acint", "anonymizer", "blockchain", "social engineering", "read c", "search", "show", "medium", "entries", "whitelisted", "memcommit", "delete", "yara detections", "next", "dock", "write", "execution", "copy", "south carolina", "federal credit", "team proxy", "static engine", "covid19", "redirector", "suspic", "tue mar", "zbot", "size68b type", "count blacklist", "tag tag", "rejected sample", "icon", "analyzed", "hwp support", "falcon sandbox", "multi scan", "update", "view details", "upgrade", "blacklist https", "keyloggers" ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "uchealth.com", "http://michaela.young@uchealth.com", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Network RAT", "display_name": "Network RAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 320, "FileHash-SHA1": 172, "FileHash-SHA256": 4302, "URL": 8243, "CIDR": 1, "domain": 1742, "hostname": 2270, "CVE": 18, "SSLCertFingerprint": 3, "email": 4 }, "indicator_count": 17075, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655af3b210e8f57cabaa0656", "name": "www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashesrswww.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears", "description": "", "modified": "2023-12-19T20:03:47.953000", "created": "2023-11-20T05:50:42.003000", "tags": [ "cisco umbrella", "site", "malware", "alexa top", "team top", "million", "heur", "safe site", "malicious site", "phishing site", "artemis", "alexa", "agent", "xtrat", "iframe", "downldr", "presenoker", "riskware", "unsafe", "zbot", "crypt", "team", "emailworm", "blacknet rat", "stealer", "blacklist https", "name verdict", "no data", "tag count", "tld count", "count blacklist", "tag tag", "tld tld", "pattern match", "jpeg image", "jfif standard", "file", "windows nt", "ascii text", "et tor", "known tor", "relayrouter", "exit", "date", "unknown", "general", "hybrid", "click", "strings", "class", "generator", "critical", "error", "detection list", "https", "http", "urls", "maltiverse", "html", "bank", "phishing", "download", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "exploit", "crack", "generic", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "node tcp", "traffic", "tor known", "tor relayrouter", "united", "spammer", "execution", "whois record", "apple ios", "pe resource", "ssl certificate", "apple private", "data collection", "apeaksoft ios", "privilege", "contacted", "hacktool", "startpage", "banker", "keylogger" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "655a6c5a03c0b3b2d0964986", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 125, "FileHash-SHA256": 3615, "domain": 2058, "hostname": 3773, "CVE": 15, "URL": 10672, "email": 1 }, "indicator_count": 20417, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655a6dda5d743c8f48635ce1", "name": "Critical cyber threat. Same threats found in regular looking blogs", "description": "malvertizing, privilege, mocking, phishing, fraud, trojans, info stealers, trojan.dacic/blocker, cagrt.exe, aspeaksoft, iOS, apple unlocker, keylogger \nMatches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\nMatches rule ET MALWARE Win32/Pykspa.C Public IP Check\nMatches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\nhttps://www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/", "modified": "2023-12-19T20:03:47.953000", "created": "2023-11-19T20:19:38.448000", "tags": [ "cisco umbrella", "site", "malware", "alexa top", "team top", "million", "heur", "safe site", "malicious site", "phishing site", "artemis", "alexa", "agent", "xtrat", "iframe", "downldr", "presenoker", "riskware", "unsafe", "zbot", "crypt", "team", "emailworm", "blacknet rat", "stealer", "blacklist https", "name verdict", "no data", "tag count", "tld count", "count blacklist", "tag tag", "tld tld", "pattern match", "jpeg image", "jfif standard", "file", "windows nt", "ascii text", "et tor", "known tor", "relayrouter", "exit", "date", "unknown", "general", "hybrid", "click", "strings", "class", "generator", "critical", "error", "detection list", "https", "http", "urls", "maltiverse", "html", "bank", "phishing", "download", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "exploit", "crack", "generic", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "node tcp", "traffic", "tor known", "tor relayrouter", "united", "spammer", "execution", "whois record", "apple ios", "pe resource", "ssl certificate", "apple private", "data collection", "apeaksoft ios", "privilege", "contacted", "hacktool", "startpage", "banker", "keylogger" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 125, "FileHash-SHA256": 3615, "domain": 2058, "hostname": 3773, "CVE": 15, "URL": 10672, "email": 1 }, "indicator_count": 20417, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655a6c5a03c0b3b2d0964986", "name": "www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/", "description": "malvertizing, mocking, phishing, fraud, trojans, info stealers, trojan.dacic/blocker, cagrt.exe\nMatches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\nMatches rule ET MALWARE Win32/Pykspa.C Public IP Check\nMatches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\nhttps://www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/", "modified": "2023-12-19T20:03:47.953000", "created": "2023-11-19T20:13:14.160000", "tags": [ "cisco umbrella", "site", "malware", "alexa top", "team top", "million", "heur", "safe site", "malicious site", "phishing site", "artemis", "alexa", "agent", "xtrat", "iframe", "downldr", "presenoker", "riskware", "unsafe", "zbot", "crypt", "team", "emailworm", "blacknet rat", "stealer", "blacklist https", "name verdict", "no data", "tag count", "tld count", "count blacklist", "tag tag", "tld tld", "pattern match", "jpeg image", "jfif standard", "file", "windows nt", "ascii text", "et tor", "known tor", "relayrouter", "exit", "date", "unknown", "general", "hybrid", "click", "strings", "class", "generator", "critical", "error", "detection list", "https", "http", "urls", "maltiverse", "html", "bank", "phishing", "download", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "exploit", "crack", "generic", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "node tcp", "traffic", "tor known", "tor relayrouter", "united", "spammer", "execution", "whois record", "apple ios", "pe resource", "ssl certificate", "apple private", "data collection", "apeaksoft ios", "privilege", "contacted", "hacktool", "startpage", "banker", "keylogger" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 125, "FileHash-SHA256": 3615, "domain": 2058, "hostname": 3773, "CVE": 15, "URL": 10672, "email": 1 }, "indicator_count": 20417, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "852 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65580c1516990d69644fb3d0", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:57.372000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65580c17e69371b34a573f72", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:59.619000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65574cbe6bdbe24ecb170b24", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:34.083000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65574cb4447c8d87ad85fa75", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:24.343000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995af8d4a3461031898b", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-10-02T00:00:29.692000", "created": "2023-08-24T17:54:34.404000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "930 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507dcf477ef9466c2de35e3", "name": "HIVE (Pulse created by RVS_i_am)", "description": "For more information, please see:\n\nContact info: wnd5xkus@duck.com / kcqhf2ok@duck.com (Email & Phone has 'not been very effective' means of communication)\nTwitter: @NorrisN60014\nDiscord: inawj_2\nMastadon: Disable_Duck@nerdculture.de\n\nOther:\nAlienVault: DISABLE_DUCK\nFileScan: DISABLE_DUCK\nMetadefender: red_snow_ak3jzram", "modified": "2023-09-18T05:15:32.926000", "created": "2023-09-18T05:15:32.926000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "64fa30d707f35d3c9d8bd1cd", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507dcf100d8bde09b555013", "name": "HIVE (Pulse created by RVS_i_am)", "description": "", "modified": "2023-09-18T05:15:29.671000", "created": "2023-09-18T05:15:29.671000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "64fa30d707f35d3c9d8bd1cd", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30d7bc2e4d93884b2a4c", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:43.678000", "created": "2023-09-07T20:21:43.678000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30d707f35d3c9d8bd1cd", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:43.271000", "created": "2023-09-07T20:21:43.271000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30cce362cbd8ba18c887", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:32.701000", "created": "2023-09-07T20:21:32.701000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30c8b0f038985fbce564", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:28.946000", "created": "2023-09-07T20:21:28.946000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30b1c5599ae3fd943671", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:05.125000", "created": "2023-09-07T20:21:05.125000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30a3429961426a8c9f3f", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:51.389000", "created": "2023-09-07T20:20:51.389000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa309b486cb2d0cacbc33e", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:43.518000", "created": "2023-09-07T20:20:43.518000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa309b8869335d1a9e6293", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:43.122000", "created": "2023-09-07T20:20:43.122000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa3090d3eb1de3bad58767", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:32.583000", "created": "2023-09-07T20:20:32.583000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa308c07f35d3c9d8bd1cc", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:28.541000", "created": "2023-09-07T20:20:28.541000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "955 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e799845f4ca1eaee3b9957", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:55:16.165000", "created": "2023-08-24T17:55:16.165000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "969 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79960d336b6a4b53c561e", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:40.425000", "created": "2023-08-24T17:54:40.425000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "969 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995f5e8231aa87cdddc5", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:39.765000", "created": "2023-08-24T17:54:39.765000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "969 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995ece1da1e24e444a27", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:38.909000", "created": "2023-08-24T17:54:38.909000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "969 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "8-25-220-162-static.reverse.queryfoundry.net", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "\u2193Command and Control \u2193", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "fmfmobile.fe.apple-dns.net", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "applestore.net", "Resource: https://urlscan.io/domain/privaterelay.appleid.com", "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "airinthemorning.net", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "http://notredamewormhoutnet.appleid.com/", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "https://dc-mx.d3525d602ca2.pixelrz.com", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "djcodychase.com", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "p155-fmfmobile.icloud.com", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "http://certs.apple.com/appleistca2g1_bc.cer", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "CNC Hostname: urlspirit.spiritsoft.cn", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "uchealth.com", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "http://michaela.young@uchealth.com", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "developer.huawei.com", "I apologize if you don\u2019t like my background stories", "news-publisher.pictures", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Swrort", "Opencandy", "Network rat", "Raccoon", "Beach research", "Malware", "Zbot", "Win:zgrat", "Bambernek", "Nircmd", "Trojan.agensla/msil", "Backdoor:linux/mumblehard", "Hacktool", "Tiggre", "Pup/win32.bundler.r1865", "Trojanx", "Generic", "Fusioncore", "Softcnapp", "Worm:win32/benjamin", "Trojan:win32/zombie", "Qakbot", "Trojan:win32/glupteba.mt!mtb", "Zeus", "Virus:dos/nanjing", "Blacknet", "Nivdort", "Brontok", "Tinba", "Networm", "Evo", "Meterpreter", "Redline", "Malware gen", "Cobalt strike", "Virtool:win32/injector", "Kraddare", "Wacatac.", "Blacknet rat", "Redline stealer", "Trojanspy:win32/nivdort", "Trojanspy", "Adware:win32/adload.0e19dea6", "Maltiverse", "Win.dropper.xtremerat-7708589-0", "Formbook", "Quasar rat", "Unruy", "Ransomware", "Suppobox", "Union", "Lumma stealer", "Ransom", "Noname057", "Win.packed.razy-9828382-0", "Mimikatz", "Xrat", "Adware.adload/adinstaller", "Emotet", "Trojandropper:win32/muldrop", "Webtoolbar", "Virtool", "Systweak", "Inno:downloader-j [pup]" ], "industries": [ "Industrial", "Food", "Civilian society", "Education", "Defense", "Healthcare", "Medicine", "Government", "Nutritional", "Telecommunications", "Medical", "Media", "Health", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "9 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "9 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a956460f257cf96c454071", "name": "Piracy \u2022 Cloudfront \u2022 Ransom \u2022 Code Overlaps \u2022 Unrelenting attacks.", "description": "Indie songwriter , publisher, promoter, producer & her artists affected by years long copyright infringement , hacking & reputation damage. Website now downed.\n\nBrashears had been involved in music under pseudonyms for decades as a was songwriter , ghostwriter, sold catalogs , charting singles, chops was sponsored. In this instance music was grossly pirated. Initially asked for hook rights then told hook would be used without her permission. Believed dispute resolved verbally + copyright.\n\nTsara learned from an insider/s her hook was pirated & used by artists listed. Modifications make songs pirated samples.\nBrashears song written in 2010 later vaulted in a private catalog later released by her artist. YouTube audio quality tampering on pirated song. \n\nBrashears loved music, not the industry as an artist; preferring business. Always held her privacy to remain unknown. Tsara lived 10 lives at once.\n\nLikely involves male who contacted her @ by email as mentioned in earlier pulse.\n#trulymissed", "modified": "2025-09-21T21:03:28.771000", "created": "2025-08-23T05:48:54.534000", "tags": [ "domains", "hashes", "passive dns", "urls", "url add", "http", "hostname", "files domain", "files related", "related tags", "a domains", "entries", "next associated", "files show", "date hash", "avast avg", "trojanspy", "entries http", "scans show", "search", "body", "body doctype", "dynamicloader", "medium", "reg add", "regsz d", "high", "windows", "audio drivers", "write c", "virtool", "copy", "write", "june", "united", "unknown ns", "samsara", "new york", "city ny", "ip address", "record value", "meta", "date", "music", "encrypt", "win32", "dangeroussig", "lowfi", "msie", "chrome", "precondition", "trojan", "title", "canada unknown", "unknown cname", "domain add", "files", "location united", "hostname add", "verdict", "domain", "files ip", "address", "asn as13335", "hash avast", "avg clamav", "msdefender feb", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "file", "size", "ascii text", "pattern match", "august", "hybrid", "general", "path", "click", "strings", "roboto", "mozilla", "contact", "t1179 hooking", "installs", "t1035 service", "crlf line", "runtime process", "malicious", "unknown", "ssl certificate", "defense evasion", "amazon02", "americachicago", "windows nt", "win64", "khtml", "gecko", "veryhigh", "found", "geo menifee", "california", "as30148", "us note", "route", "ptr record", "information", "t1053", "taskjob", "t1055", "injection", "t1082", "t1112", "modify registry", "t1119", "t1129", "service", "capture", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "showing", "ipv6", "ipv4", "dicator role", "title added", "active related", "sweden", "netherlands", "scan", "iocs", "learn more", "types of", "kingdom", "united kingdom", "denmark", "icator role", "malware attacks", "find encrypted", "t1021", "remote", "t1068", "ta0043", "t1016", "discovery", "t1221", "nobody love", "tori", "kelley", "dj khaled", "justin bieber", "sophos video", "x rack", "x frame", "october", "songculture", "song culture", "tsara brashears", "jess 4", "queryfoundry", "beyond sampling", "pirated", "youtube", "spotify", "twitter", "spy", "tracking" ], "references": [ "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "8-25-220-162-static.reverse.queryfoundry.net", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "I apologize if you don\u2019t like my background stories", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nivdort", "display_name": "Nivdort", "target": null }, { "id": "Virtool", "display_name": "Virtool", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Trojanspy", "display_name": "Trojanspy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Malware Gen", "display_name": "Malware Gen", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Media", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1833, "hostname": 902, "domain": 386, "FileHash-MD5": 406, "FileHash-SHA1": 402, "FileHash-SHA256": 1437, "email": 2, "SSLCertFingerprint": 5, "CIDR": 2 }, "indicator_count": 5375, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "210 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688ed5eca930bccd0aec22be", "name": "Foundry.matav.hu - Ransom & SpyVoltar", "description": "", "modified": "2025-09-02T02:05:01.867000", "created": "2025-08-03T03:22:20.760000", "tags": [ "meta", "status", "united", "song culture", "search", "link", "script script", "home page", "denver colorado", "ip address", "date", "encrypt", "body", "a domains", "bandzoogle", "work website", "builder", "passive dns", "trojanspy", "ransom", "win32heim feb", "entries", "next associated", "site", "server", "gmt contenttype", "twitter", "gandi sas", "hostname add", "pulse submit", "url analysis", "urls", "files", "domain", "all hostname", "verdict", "files ip", "address", "moved", "showing", "south korea", "error oct", "present oct", "present dec", "canada showing", "urls show", "date checked", "url hostname", "server response", "present jun", "present apr", "hungary", "present jan", "present jul", "present feb", "present nov", "present mar", "all ipv4", "reverse dns", "location canada", "montreal", "canada asn", "present aug", "name servers", "creation date", "expiration date", "show", "hostname", "data upload", "extraction", "autofill pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "defense evasion", "development att", "heart internet", "registrar", "extend", "http version", "get na", "sinkhole cookie", "module load", "t1129", "service", "create c", "malware", "copy", "possible", "write", "win32", "nivdort", "etpro trojan", "alphacrypt cnc", "beacon", "windows nt", "wow64", "touch", "medium", "gecko http", "read c", "unknown", "virustotal", "trojan", "mcafee", "vipre", "drweb", "panda", "next", "yara detections", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": "688ed51290c84cbaec011d53", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2131, "domain": 805, "FileHash-MD5": 269, "FileHash-SHA1": 158, "FileHash-SHA256": 1153, "hostname": 919, "email": 6 }, "indicator_count": 5441, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688ed51290c84cbaec011d53", "name": "Indie Music Artists Website-Win32/SpyVoltar.A Checkin 2", "description": "* Music Artists Website-Win32/SpyVoltar.A Checkin 2 * ransom:Win32/Haperlock.A highjacked SongCulture.com and her Bank Account. Ongoing.\nVery malicious espionage. Had been running Tsars Brashears website after canceling her Bank account via hacking. A South African calle center Brashears was told did not exist were the call center for AllState , Esurance (Now NGIC?) and T-mobile. Have not paid her losses including daughter\u2019s stolen SUV!! \n#espionage #ransom", "modified": "2025-09-02T02:05:01.867000", "created": "2025-08-03T03:18:42.264000", "tags": [ "meta", "status", "united", "song culture", "search", "link", "script script", "home page", "denver colorado", "ip address", "date", "encrypt", "body", "a domains", "bandzoogle", "work website", "builder", "passive dns", "trojanspy", "ransom", "win32heim feb", "entries", "next associated", "site", "server", "gmt contenttype", "twitter", "gandi sas", "hostname add", "pulse submit", "url analysis", "urls", "files", "domain", "all hostname", "verdict", "files ip", "address", "moved", "showing", "south korea", "error oct", "present oct", "present dec", "canada showing", "urls show", "date checked", "url hostname", "server response", "present jun", "present apr", "hungary", "present jan", "present jul", "present feb", "present nov", "present mar", "all ipv4", "reverse dns", "location canada", "montreal", "canada asn", "present aug", "name servers", "creation date", "expiration date", "show", "hostname", "data upload", "extraction", "autofill pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "defense evasion", "development att", "heart internet", "registrar", "extend", "http version", "get na", "sinkhole cookie", "module load", "t1129", "service", "create c", "malware", "copy", "possible", "write", "win32", "nivdort", "etpro trojan", "alphacrypt cnc", "beacon", "windows nt", "wow64", "touch", "medium", "gecko http", "read c", "unknown", "virustotal", "trojan", "mcafee", "vipre", "drweb", "panda", "next", "yara detections", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2131, "domain": 805, "FileHash-MD5": 269, "FileHash-SHA1": 158, "FileHash-SHA256": 1153, "hostname": 919, "email": 6 }, "indicator_count": 5441, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7aa9d0ec86cff5b95b64", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-09-12T14:01:56.106000", "created": "2024-08-13T15:24:25.284000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "edgecloudc.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "edgecloudc.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776642239.0896235 }