{ "type": "Domain", "indicator": "ehr4tech.de", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ehr4tech.de", "alexa": "http://www.alexa.com/siteinfo/ehr4tech.de", "indicator": "ehr4tech.de", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3756441135, "indicator": "ehr4tech.de", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 34, "pulses": [ { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6774768587a0dd8c99603273", "name": "JA3 c0dc7647257f04c70118ed416f181827 Valid From 2019-08-24 16:43:06 Valid To 2049-08-24 16:43:06", "description": "Certificate Attributes\nValid From 2019-08-24 16:43:06 Valid To 2049-08-24 16:43:06\nSerial Number 16a250fafea9a6ffac60f09244415fe2194df377 Thumbprint cd0298d2987d51eea8e1c7feaeed4f8f7ad62033\nJA3 c0dc7647257f04c70118ed416f181827 SHA-256 11a75567b5d2d03e200e7473c72b1f698e4a268d38f7653d09515e83f1c52712", "modified": "2025-05-14T21:15:16.467000", "created": "2024-12-31T22:56:05.043000", "tags": [ "valid from", "number", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 1813, "URL": 233, "hostname": 213, "domain": 398 }, "indicator_count": 2695, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d0a9c7f1b04296d9b0d803", "name": "History Killer Pro Injection deleting VirusTotal & OTX.AlienVault Pulses", "description": "", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T12:42:47.334000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65d053a935bf99f5263deb57", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "807 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d053a935bf99f5263deb57", "name": "History Killer Pro Injection deleting virustotal & otx.alienvault Pulses", "description": "History killer pro, is being used to delete and modify virustotal nodes and 41 otx.alienvault pulses. Junk data is being used to fill in missing pulses.\nTargeted: 1 callmeDoris several scoreblue (sometimes I clone pulses) Octoseek. \npulses.\nHallrender, Metro by T-Mobile, https://myaccount.uscis.gov/, Esurance, 40 pule reports are regarding Tsara Brashears cyber bully campaign which attacked the corporates mentioned except 2 AIG and Hallrender attackers. 100's of other modifications, deletions by another tool affecting several users.", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T06:35:21.666000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "807 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a7e576b3cbdf2f86a32acc", "name": "Skynet | prd.connectforhealthco.com | Identity theft |", "description": "Remote interception of health insurance applicants call. Social engineering - threat actor will walk target through process beginning with; verification of phone model, browser used, phone number, email, ssn# entered in staged health insurance enrollment application. Auto forwards ssn# to Experian, locking consumer from of all accounts, credit information is stolen, consumer identity theft. New accounts cannot be created, a password reset is required for scam, all emails requested, bad actor will ask for entire households email accounts, device use, etc. Sends malicious forms to devices. Takes consumer through a lengthy phone transfer scheme +++", "modified": "2024-02-16T13:04:46.804000", "created": "2024-01-17T14:34:30.204000", "tags": [ "whois record", "historical ssl", "ssl certificate", "april", "referrer", "threat roundup", "communicating", "whois", "rwi dtools", "jekyll", "metro", "skynet", "identity theft", "parking crew", "whois whois", "resolutions", "october", "august", "march", "june", "attack", "goldfinder", "sibot", "hacktool", "remote attack", "social engineering", "read c", "get autoit", "search", "regsetvalueexa", "show", "entries", "regdword", "intel", "ms windows", "showing", "autoit", "write", "worm", "copy", "unknown", "win32", "persistence", "execution", "malware", "autorun", "redacted for", "for privacy", "name servers", "date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "encrypt", "next", "sabey", "no expiration", "filehashsha256", "filehashsha1", "filehashmd5", "iocs", "create new", "pulse use", "pdf report", "pcap", "malware beacon", "useragent", "http request", "hostile", "autoit windows", "automation tool", "forbidden", "algorithm", "full name", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "detections type", "name", "javascript", "pdf community", "office open", "xml spreadsheet", "text", "siblings", "process32nextw", "fjlsedauv", "writeconsolea", "medium", "discovery", "high", "module load", "t1129", "united", "as63949 linode", "mtb jan", "passive dns", "backdoor", "mtb dec", "open", "body", "artro", "creation date", "servers", "urls", "record value", "expiration date", "vt graph", "parent referrer", "apple private", "data collection", "hidden privacy", "malicious", "verified", "utc submissions", "submitters", "summary iocs", "graph community", "tucows", "amazonaes", "china telecom", "group", "cloudflarenet", "akamaias", "pty ltd", "argon data", "communication", "limited", "digitaloceanasn", "twitter", "dropbox", "domainsite", "alibaba cloud", "computing", "beijing", "service", "ip address", "latest", "virustotal", "unclejohn", "us autonomous", "system46606", "unified layer", "urls latest", "contacted", "historical", "subdomains", "gootloader", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "binary", "sameorigin", "scammer", "spammer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Sibot - S0589", "display_name": "Sibot - S0589", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "display_name": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "target": null }, { "id": "W32/Expiro.fam", "display_name": "W32/Expiro.fam", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" } ], "industries": [ "Healthcare", "Insurance", "Finance", "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 515, "FileHash-SHA1": 504, "FileHash-SHA256": 3557, "URL": 5450, "domain": 1842, "hostname": 2221, "CVE": 2, "email": 6 }, "indicator_count": 14097, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261e2290ac1ecc5d9ca74", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:30.771000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4695, "domain": 2494, "hostname": 3547, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5841, "CIDR": 12, "email": 17 }, "indicator_count": 24220, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261d5965b4824d1606cf9", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:17.262000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4719, "domain": 2497, "hostname": 3549, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5861, "CIDR": 12, "email": 17 }, "indicator_count": 24269, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659d687f92ebb4f3d613ae0c", "name": "Mimikatz | www.ssc.spaceforce.mil ", "description": "", "modified": "2024-01-09T15:38:39.547000", "created": "2024-01-09T15:38:39.547000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655cd0f065d2e5a6c92369e5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "876 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6590f9011e57040b2717c99c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:45.262000", "created": "2023-12-31T05:15:45.262000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6590f8f3b192d56e80294c13", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "885 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6590f8f3b192d56e80294c13", "name": "Aig.com Pegasus attack+ https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:31.645000", "created": "2023-12-31T05:15:31.645000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653f21878bcd05f7d594ff86", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "885 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656aa27f81a9096f5889a9d0", "name": "WebToolbar | www.ssc.spaceforce.mil ", "description": "", "modified": "2023-12-21T15:00:07.190000", "created": "2023-12-02T03:20:31.494000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655cd0f065d2e5a6c92369e5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655ce5116519bd86d1f1bdee", "name": "FormBook | www.ssc.spaceforce.mil 'Hoax' | Spyware | Fraud Services", "description": "", "modified": "2023-12-21T15:00:07.190000", "created": "2023-11-21T17:12:49.783000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655cd0f065d2e5a6c92369e5", "name": "www.ssc.spaceforce.mil", "description": "", "modified": "2023-12-21T15:00:07.190000", "created": "2023-11-21T15:46:56.740000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6553b88c316cfb531b9c4c10", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com", "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-14T18:12:28.459000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "902 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65568ab12429c394dc4b91ea", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go", "description": "", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-16T21:33:37.838000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "6553b88c316cfb531b9c4c10", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "902 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65536bdc3676a40633a619be", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:45:16.667000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "902 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65568d67bd96e06ab44b9b95", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-16T21:45:11.721000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "65536bdc3676a40633a619be", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "902 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65536bc6301b7cdf7d04e095", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:44:54.422000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "902 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a60cd4985a30bf050572", "name": "Search Engines \u2022 Portals \u2022 Search Engines \u2022 Mobile Communications \u2022 searchengines", "description": "", "modified": "2023-12-06T16:49:16.153000", "created": "2023-12-06T16:49:16.153000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 930, "domain": 74, "hostname": 340, "URL": 567, "FileHash-MD5": 360, "FileHash-SHA1": 185 }, "indicator_count": 2458, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65463631b46319b3aa1d071f", "name": "Qausar RAT - aig.com |", "description": "Compilation of research identifilocates aig.com Defense Division of Workers Compensation. \nMalicious & invasive tactics remain. Target seem to have been removed from, revenge porn campaign targeted name no longer auto populates, registrant seems poised for campaign.\nTactics include phishing, tracking, geotracking, device location, monitoring, side loading apps and remote access. \n\nQausar Rat identified:\nAlso known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.", "modified": "2023-12-04T11:01:36.202000", "created": "2023-11-04T12:16:49.600000", "tags": [ "general full", "url https", "reverse dns", "security tls", "protocol h2", "name value", "resource", "united", "asn16509", "amazon02", "main", "facebook", "http", "request chain", "november", "de page", "url history", "javascript", "meta", "page url", "redirected", "http redirect", "value", "mime type", "variables", "contexthub", "visitor object", "cq function", "sanitize object", "elqq", "domainpath name", "link", "property", "workers", "compensation", "login myaig", "liability", "contact", "a claim", "commercial auto", "login aig", "form", "cyber", "find", "team", "defense", "crime", "ransom", "energy", "cargo", "life", "media", "enterprise", "american international", "frankfurt", "germany", "october", "domains", "asn20940", "cisco", "umbrella rank", "domain", "de summary", "ssl certificate", "whois record", "whois whois", "malware", "network mooooda", "and china", "filter https", "dsp1", "keepaliveyes", "p11642963562", "quasar", "metro", "android", "djvu", "win32 exe", "win32 dll", "ms excel", "dao360", "spreadsheet", "files", "detections type", "name", "phishing", "tulach exploits", "falcon sandbox", "pattern match", "file", "script", "indicator", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "date", "unknown", "body", "error", "span", "class", "generator", "critical", "refresh", "open", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "suricata" ], "references": [ "aig.com", "https://urlscan.io", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "remoteaccess.aig.com", "https://remote.goeaston.net", "window.location.search", "location.search", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/" ], "public": 1, "adversary": "American International", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "American International", "display_name": "American International", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Reinsurance", "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 117, "FileHash-SHA256": 1962, "domain": 575, "hostname": 1623, "FileHash-MD5": 123, "URL": 3670, "CVE": 2 }, "indicator_count": 8072, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f047d030109e1cab23db8", "name": "Qakbot, Qbot, Qausar | CNC", "description": "", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-30T01:18:53.112000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653e9215890dfc9167d774e3", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653e9147fc170101be4f7afe", "name": "CNC | Malicious activities. | aig.com [lacks http/https]", "description": "My input: unsigned, evasive,Trojan:Win32/Danabot.G, missing STSH, CNC, phishing, trojans, scanning host, exploit host. \n\n\n[Auto populated: Last DNS records are held by a single person, and they are not the same as the previous records, which were posted in the early 1990s and early 2000s, according to the US government.]", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-29T17:07:19.371000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653e9215890dfc9167d774e3", "name": "Qakbot, Qbot, Qausar | CNC", "description": "My input: unsigned, evasive,Trojan:Win32/Danabot.G, missing STSH, CNC, phishing, trojans, scanning host, exploit host. \n\n\n[Auto populated: Last DNS records are held by a single person, and they are not the same as the previous records, which were posted in the early 1990s and early 2000s, according to the US government.]", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-29T17:10:45.609000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653e92fcaf9d549477914ece", "name": "Registrar Abuse | CNC", "description": "My input: unsigned, evasive,Trojan:Win32/Danabot.G, missing STSH, CNC, phishing, trojans, scanning host, exploit host. \n\n\n[Auto populated: Last DNS records are held by a single person, and they are not the same as the previous records, which were posted in the early 1990s and early 2000s, according to the US government.]", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-29T17:14:36.780000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f04475b063d0b0d3badca", "name": "CNC | Malicious activities. | aig.com [lacks http/https]", "description": "", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-30T01:17:59.531000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653e9147fc170101be4f7afe", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f04af6927f6584755d691", "name": "Registrar Abuse | CNC", "description": "", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-30T01:19:43.234000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653e92fcaf9d549477914ece", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f02c459cc8bcaa5ebeb7a", "name": "Targeted hacking via malicious DGA insurance domains AIGcom", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T01:11:32.672000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "653db32c6a6193714e513695", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f05ff39b2dee54b89d17a", "name": "AIG Hacked or Spoofed website?", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T01:25:19.036000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653db0487ec8c7a4c0b1ef0e", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f21878bcd05f7d594ff86", "name": " AIG Hacked or Spoofed website?", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T03:22:47.684000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653db044432cdee91e2f5d1c", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653db32c6a6193714e513695", "name": "Targeted hacking via malicious DGA insurance domains AIGcom | Host: am1mxi05.aig.com | IP: 167.230.100.44", "description": "Extremely strange & disturbing report. A disruption at root of Cisco hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago\nHard to understand.", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:19:40.692000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653db12d71978ca34e49e88e", "name": "Hacking stemming from malicious DGA Insurance domains under Cisco Umbrella", "description": "Extremely strange & disturbing report. A disruption at root of Cisco hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:11:09.672000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570", "defense entity fraud?" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653db0487ec8c7a4c0b1ef0e", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:20.916000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653db044432cdee91e2f5d1c", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:16.410000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650f714b099ee92d73840f63", "name": "Search Engines \u2022 Portals \u2022 Search Engines \u2022 Mobile Communications \u2022 searchengines", "description": "Scanning Host \u2022 Malware Site \u2022 Phishing \u2022 Malicious site", "modified": "2023-10-23T21:01:17.695000", "created": "2023-09-23T23:14:18.638000", "tags": [ "united", "anonymizer", "detection list", "ip address", "blacklist", "firehol proxy", "firehol south", "credit union", "team", "proxy", "cisco umbrella", "site", "safe site", "malware site", "malicious site", "alexa top", "million", "malware", "phishing site", "suspected", "unruy", "riskware", "artemis", "phishing", "bank", "alexa", "union", "pony", "catalina", "opencandy", "cleaner", "service", "runescape", "facebook", "download", "iframe", "downldr", "agent", "presenoker", "unsafe", "blacklist https", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "malicious url" ], "references": [ "https://www.bing.com/images/search?view=detailV2&id=11DBB9C6633FBE863EC959A64A0934887FA7C481&thid=OIP.1ZMj0U28ecIgZMtxvGo2FAHaEK&exph=450&expw=800&q=Tsara+Brashears+Defeats+Jeffrey+Reimer&selectedindex=2&adt=1&vt=4&eim=0,3,4,6/CAR-BOMB-DEATH-THREAT-AFTER-TSARA-BRASHEARS-PREVAILS-AGAINST-JEFFREY-REIMER-DPT-SEXUAL-MISCONDUCT", "Hybrid Analysis", "Online Research", "WebTools" ], "public": 1, "adversary": "NoName057", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:PUA:Win32/Catalina", "display_name": "ALF:PUA:Win32/Catalina", "target": null }, { "id": "Backdoor:PHP/Artemis", "display_name": "Backdoor:PHP/Artemis", "target": "/malware/Backdoor:PHP/Artemis" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 567, "FileHash-SHA256": 930, "domain": 74, "hostname": 340, "CVE": 2, "FileHash-SHA1": 185, "FileHash-MD5": 360 }, "indicator_count": 2458, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "953 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "pornhub.com", "location.search", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "http://mobile.suddenlink2go.com/", "WebTools", "aig.com", "https://www.bing.com/images/search?view=detailV2&id=11DBB9C6633FBE863EC959A64A0934887FA7C481&thid=OIP.1ZMj0U28ecIgZMtxvGo2FAHaEK&exph=450&expw=800&q=Tsara+Brashears+Defeats+Jeffrey+Reimer&selectedindex=2&adt=1&vt=4&eim=0,3,4,6/CAR-BOMB-DEATH-THREAT-AFTER-TSARA-BRASHEARS-PREVAILS-AGAINST-JEFFREY-REIMER-DPT-SEXUAL-MISCONDUCT", "Online Research", "home.toshiba.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "www.historykillerpro.com", "http://gmpg.org/xfn/11 [HTTrack]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "myhughesnet.com", "dishmail.net", "nr-data.net [Apple Private Data Collection]", "me.com [Pegasus]", "192.229.211.108 [Tracking & Virus Network]", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community", "https://urlscan.io", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "Hybrid Analysis", "http://sniper.debugger.ru", "https://remote.goeaston.net", "https://monitor.rodgersmith.com", "37.1.217.172 [scanning host]", "monitor.cablelan.net", "https://tulach.cc/", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://applemusic-spotlight.myunidays.com/US/en-US?", "window.location.search", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "a-poster.info", "https://www.everycloudtech.com/free-mail-flow-monitor", "remoteaccess.aig.com", "ytq2rs56.haogfw.com", "images.ctfassets.net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NoName057", "American International" ], "malware_families": [ "Hacktool", "American international", "Win.trojan.agent-1372316", "Sibot - s0589", "Sibot", "Nymaim", "Trojanspy", "Appleservice", "Immortal stealer", "Chinese", "Pegasus - mob-s0005", "Trojan", "Alf:pua:win32/catalina", "Pegasus for ios - s0289", "Ransomexx", "Mirai", "Gandcrab", "Ransomware", "Goldfinder", "Hacktool.bruteforce", "Trojan:win32/installcore", "Roblox", "Backdoor:php/artemis", "Blacknet", "Azorult", "Yixun", "Domains", "Hallrender", "Win32:delf-ses\\ [trj]", "Inmortal", "Mimikatz", "Maltiverse", "Artro", "Looquer", "Trojandownloader:win32/neojit.a", "Sabey", "Trojanx", "Tofsee", "Downloader.cerber/js!1.a59c (classic)", "Alf:heraklezeval:trojandownloader:win32/unruy", "Quasar rat", "Pegasus for android - mob-s0032", "Verified", "Artemis", "Hacktool.cheatengine", "Emotet", "Variant.zusy.572 checkin", "Webtoolbar", "Alf:program:opencandy:remnant", "Ducktail", "Neurovt", "W32/expiro.fam", "Opencandy", "Nanocore", "Hiddentear", "Raccoon stealer", "Kimsuky", "Pony - s0453", "Cobalt strike", "Firehol", "Skynet", "Tulach", "Goldmax - s0588", "Icefog", "Formbook" ], "industries": [ "Reinsurance", "Telecommunications", "Technology", "Healthcare", "Government", "Insurance", "Finance", "Travel" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 34, "pulses": [ { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6774768587a0dd8c99603273", "name": "JA3 c0dc7647257f04c70118ed416f181827 Valid From 2019-08-24 16:43:06 Valid To 2049-08-24 16:43:06", "description": "Certificate Attributes\nValid From 2019-08-24 16:43:06 Valid To 2049-08-24 16:43:06\nSerial Number 16a250fafea9a6ffac60f09244415fe2194df377 Thumbprint cd0298d2987d51eea8e1c7feaeed4f8f7ad62033\nJA3 c0dc7647257f04c70118ed416f181827 SHA-256 11a75567b5d2d03e200e7473c72b1f698e4a268d38f7653d09515e83f1c52712", "modified": "2025-05-14T21:15:16.467000", "created": "2024-12-31T22:56:05.043000", "tags": [ "valid from", "number", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 1813, "URL": 233, "hostname": 213, "domain": 398 }, "indicator_count": 2695, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d0a9c7f1b04296d9b0d803", "name": "History Killer Pro Injection deleting VirusTotal & OTX.AlienVault Pulses", "description": "", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T12:42:47.334000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65d053a935bf99f5263deb57", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "807 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d053a935bf99f5263deb57", "name": "History Killer Pro Injection deleting virustotal & otx.alienvault Pulses", "description": "History killer pro, is being used to delete and modify virustotal nodes and 41 otx.alienvault pulses. Junk data is being used to fill in missing pulses.\nTargeted: 1 callmeDoris several scoreblue (sometimes I clone pulses) Octoseek. \npulses.\nHallrender, Metro by T-Mobile, https://myaccount.uscis.gov/, Esurance, 40 pule reports are regarding Tsara Brashears cyber bully campaign which attacked the corporates mentioned except 2 AIG and Hallrender attackers. 100's of other modifications, deletions by another tool affecting several users.", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T06:35:21.666000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "807 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a7e576b3cbdf2f86a32acc", "name": "Skynet | prd.connectforhealthco.com | Identity theft |", "description": "Remote interception of health insurance applicants call. Social engineering - threat actor will walk target through process beginning with; verification of phone model, browser used, phone number, email, ssn# entered in staged health insurance enrollment application. Auto forwards ssn# to Experian, locking consumer from of all accounts, credit information is stolen, consumer identity theft. New accounts cannot be created, a password reset is required for scam, all emails requested, bad actor will ask for entire households email accounts, device use, etc. Sends malicious forms to devices. Takes consumer through a lengthy phone transfer scheme +++", "modified": "2024-02-16T13:04:46.804000", "created": "2024-01-17T14:34:30.204000", "tags": [ "whois record", "historical ssl", "ssl certificate", "april", "referrer", "threat roundup", "communicating", "whois", "rwi dtools", "jekyll", "metro", "skynet", "identity theft", "parking crew", "whois whois", "resolutions", "october", "august", "march", "june", "attack", "goldfinder", "sibot", "hacktool", "remote attack", "social engineering", "read c", "get autoit", "search", "regsetvalueexa", "show", "entries", "regdword", "intel", "ms windows", "showing", "autoit", "write", "worm", "copy", "unknown", "win32", "persistence", "execution", "malware", "autorun", "redacted for", "for privacy", "name servers", "date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "encrypt", "next", "sabey", "no expiration", "filehashsha256", "filehashsha1", "filehashmd5", "iocs", "create new", "pulse use", "pdf report", "pcap", "malware beacon", "useragent", "http request", "hostile", "autoit windows", "automation tool", "forbidden", "algorithm", "full name", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "detections type", "name", "javascript", "pdf community", "office open", "xml spreadsheet", "text", "siblings", "process32nextw", "fjlsedauv", "writeconsolea", "medium", "discovery", "high", "module load", "t1129", "united", "as63949 linode", "mtb jan", "passive dns", "backdoor", "mtb dec", "open", "body", "artro", "creation date", "servers", "urls", "record value", "expiration date", "vt graph", "parent referrer", "apple private", "data collection", "hidden privacy", "malicious", "verified", "utc submissions", "submitters", "summary iocs", "graph community", "tucows", "amazonaes", "china telecom", "group", "cloudflarenet", "akamaias", "pty ltd", "argon data", "communication", "limited", "digitaloceanasn", "twitter", "dropbox", "domainsite", "alibaba cloud", "computing", "beijing", "service", "ip address", "latest", "virustotal", "unclejohn", "us autonomous", "system46606", "unified layer", "urls latest", "contacted", "historical", "subdomains", "gootloader", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "binary", "sameorigin", "scammer", "spammer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "Sibot - S0589", "display_name": "Sibot - S0589", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "display_name": "Downloader.Cerber/JS!1.A59C (CLASSIC)", "target": null }, { "id": "W32/Expiro.fam", "display_name": "W32/Expiro.fam", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" } ], "industries": [ "Healthcare", "Insurance", "Finance", "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 515, "FileHash-SHA1": 504, "FileHash-SHA256": 3557, "URL": 5450, "domain": 1842, "hostname": 2221, "CVE": 2, "email": 6 }, "indicator_count": 14097, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261e2290ac1ecc5d9ca74", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:30.771000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4695, "domain": 2494, "hostname": 3547, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5841, "CIDR": 12, "email": 17 }, "indicator_count": 24220, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261d5965b4824d1606cf9", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:17.262000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4719, "domain": 2497, "hostname": 3549, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5861, "CIDR": 12, "email": 17 }, "indicator_count": 24269, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659d687f92ebb4f3d613ae0c", "name": "Mimikatz | www.ssc.spaceforce.mil ", "description": "", "modified": "2024-01-09T15:38:39.547000", "created": "2024-01-09T15:38:39.547000", "tags": [ "a domains", "united", "as20940", "aaaa", "as16625 akamai", "link", "passive dns", "space systems", "urls", "search", "encrypt", "ssl certificate", "whois record", "whois whois", "historical ssl", "referrer", "resolutions", "communicating", "collections", "contacted", "sneaky server", "team", "metro", "hacktool", "tsara brashears", "apple ios", "highly targeted", "core", "android", "formbook", "emotet", "download", "malware", "malicious", "critical", "copy", "relic", "monitoring", "installer", "first", "utc submissions", "submitters", "gandi sas", "csc corporate", "domains", "cloudflare", "cloudflarenet", "akamaias", "summary iocs", "b item", "cisco umbrella", "site", "maltiverse", "heur", "safe site", "alexa top", "million", "tsgeneric", "riskware", "unsafe", "phishing", "union", "bank", "opencandy", "exploit", "agent", "mimikatz", "webtoolbar", "no expiration", "expiration", "indicator role", "pulses url", "url https", "domain", "url http", "brashears type", "showing", "entries" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655cd0f065d2e5a6c92369e5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 81, "hostname": 1376, "URL": 3305, "domain": 572, "FileHash-SHA256": 3300, "CVE": 4, "email": 1 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "876 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6590f9011e57040b2717c99c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:45.262000", "created": "2023-12-31T05:15:45.262000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6590f8f3b192d56e80294c13", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "885 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6590f8f3b192d56e80294c13", "name": "Aig.com Pegasus attack+ https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:31.645000", "created": "2023-12-31T05:15:31.645000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653f21878bcd05f7d594ff86", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "885 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ehr4tech.de", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ehr4tech.de", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780513520.2216527 }