{ "type": "Domain", "indicator": "esource.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/esource.com", "alexa": "http://www.alexa.com/siteinfo/esource.com", "indicator": "esource.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3829126255, "indicator": "esource.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Found in: https://jbplegal.com", "https://www.nsogroup.com", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "https://timersys.com/ [ phishing | deb opera.com]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Tracking: 8.8.4.4 [ NOT a false.positive]", "enterprise.cellebrite.com [ digitalclues.com]", "message.htm.com [ message stealer]", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "training001.blackbagtech.com [opportunity?]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "deviceinbox.com [malware hosting]", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "http://sexkompas.xyz", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net", "PEXE - DOS executable (COM)", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "tracking2youdu.com , cdn.livechatinc.com", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://tulach.cc/ [malware engineering | phishing]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO Group" ], "malware_families": [ "Quasar rat", "Eternalblue", "Win32:pwsx-gen", "Amadey", "Win32:malware-gen", "Pegasus", "Etpro", "Backdoor:win32/mydoom", "Win.trojan.buzus-5453", "Win32:injector-cvf\\ [trj]\t\twin.mal", "Win.malware.vtflooder-6260355-1", "Trojan:win32/glupteba.mt!mtb" ], "industries": [ "Civil society", "Legal", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "esource.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "esource.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776618598.6408215 }