{ "type": "Domain", "indicator": "facebookconnect.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/facebookconnect.com", "alexa": "http://www.alexa.com/siteinfo/facebookconnect.com", "indicator": "facebookconnect.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3748914064, "indicator": "facebookconnect.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a141c15cfec672ba39e6a17", "name": "S0094 clone credit score blue ", "description": "", "modified": "2026-05-25T10:03:13.774000", "created": "2026-05-25T09:53:25.429000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": "6665d55d941729c5f283b3f7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2951, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17067, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694dc80ac6e7fd5474b316a1", "name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal", "description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |", "modified": "2026-01-24T22:05:13.068000", "created": "2025-12-25T23:26:02.712000", "tags": [ "hash avast", "avg clamav", "msdefender feb", "url http", "url https", "zipcode", "active related", "cage01195 dec", "passports", "ipv4", "active", "irs", "apple", "role title", "indicator role", "malware attacks", "find encrypted", "lumen", "fastly", "create c", "read c", "delete", "write", "default", "medium", "rgba", "dock", "execution", "xport", "united", "passive dns", "urls", "expiration date", "unknown ns", "unknown aaaa", "pulse pulses", "merit", "dod network", "type indicator", "related pulses", "name", "name servers", "ffffff", "ip address", "emails", "object", "clsid6bf52a52", "cookie", "meta", "united kingdom", "germany", "russia", "search", "added active", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "href", "pattern match", "ascii text", "ck id", "mitre att", "ck matrix", "t1071", "general", "local", "path", "iframe", "click", "beginstring", "segoe ui", "null", "refresh", "span", "hybrid", "strings", "error", "tools", "title", "look", "verify", "restart", "data upload", "extraction", "failed", "include data", "entries", "unicode", "high", "memcommit", "next", "flag", "process details", "path expiresthu", "moved", "gmt set", "domain", "httponly path", "encrypt", "leaseweb", "iowa", "title added", "bad traffic", "et info", "tls handshake", "failure", "command decode", "suricata stream", "circle", "f5f8fa", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "suricata http", "windows nt", "date", "ips initial", "prefetch8", "localappdata", "prefetch1", "programfiles", "edge", "access att", "t1566 phishing", "initial access", "show process", "show technique", "process", "t1057", "contacted", "ck techniques", "evasion att", "body", "report spam", "apple", "ddos", "irs created", "hours ago", "white", "apple user", "industries", "government", "finance", "trojandropper", "appleservice", "mirai", "trojan", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "alerts", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "analysis date", "file score", "medium risk", "copy", "richhash", "finding notes", "clamav malware", "files matching", "number", "sample analysis", "samples show", "date hash", "yara rule", "msie", "t1063", "windows", "malware", "detected", "https domain", "tls sni", "markus", "smartassembly", "win64", "exif data", "present dec", "status", "showing", "show", "icmp traffic", "pdb path", "crlf line", "mutex", "ms defender", "mtb malware", "hide samples", "rootkit", "apple webkit", "macbook pro", "apple ios" ], "references": [ "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "64.38.232.180 - Adult Content IP", "www.anyxxxtube.net - Adult Content", "www.anyxxxtube.net - Adult Content IP", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "asp.bet", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "Follow up need. This is a serious financial crime following the victims.", "Victims have lost financial assets, jobs, vehicles", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.Ramnit-1847", "display_name": "Win.Trojan.Ramnit-1847", "target": null }, { "id": "Win.Trojan.Fenomengame-14", "display_name": "Win.Trojan.Fenomengame-14", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Adialer", "display_name": "ALF:JASYP:Trojan:Win32/Adialer", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Financial", "Government", "Technology", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 360, "FileHash-SHA256": 3009, "URL": 3504, "domain": 879, "email": 15, "hostname": 1487, "SSLCertFingerprint": 3 }, "indicator_count": 9620, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "691 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "691 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659864357d1d3185efc5c112", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:01.457000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659864448507cc1752ff6456", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:16.886000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4898fa85cad0af83e032d", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ", "description": "", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-15T01:25:35.060000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "659864448507cc1752ff6456", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65551682899b039e02b8dc8a", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:38.437000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655516871038cbad9eae2bb7", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:43.285000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "3.163.189.120 [Tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "greycroftpartners.com", "www.anyxxxtube.net - Adult Content IP", "AfraidZad.exe", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "103.224.182.253 [command_and_control]", "https://www.reddit.com/user/", "104.247.75.218 | [cnc ]", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "CVE-2017-0147", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "114.114.114.114 - Tulach Malware", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "www.dead-speak.com", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "104.86.182.8 [command_and_control]", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "www.governmentattic.org [privilege: malicious malware downloading]", "https://test2.ditproducts.com/dat/wannacry1.html", "Certificate Subject CN=brazzerspesonals.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "BEELab_web_1.0.2-prerelease.exe", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "Follow up need. This is a serious financial crime following the victims.", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "Targeting", "https://twitter.com/PORNO_SEXYBABES", "Victims have lost financial assets, jobs, vehicles", "CVE-2023-22518 | CVE-2023-4966", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "64.38.232.180 - Adult Content IP", "https://tulach.cc/ [phishing attacks]", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "asp.bet", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "Assurance", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "Information gathered equals 2 pulses. Pulse (1) included", "browser.events.data.msn.com | events-sandbox.data.msn.com", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "christ.robert@gmx.de", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "eg-monitoring.com", "Gowi Live Bot.exe", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "\u2193 Interesting \u2193", "tsarabrashears.com", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "owa.telegrafix.com", "www.anyxxxtube.net - Adult Content", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "tulach.cc [AM | phishing]", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome", "sweetheartvideo.com", "rp.downloadastrocdn.com [command_and_control]", "http://r3.o.lencr.org", "103.224.182.246 [command_and_control]", "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "trkpls3.com", "https://www.adultforce.com/ [malvertizing Tsara Brashears]", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "checkip.dyndns.org [command_and_control]", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "86.140.232.148 [scanning_host]", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly," ], "malware_families": [ "Hallgrand", "Generic", "Appleservice", "Malware", "Trojanspy", "Pandex!gen1", "Brashears", "Maltiverse", "Trojan.karagany - s0094", "Mirai", "Adware.pcappstore/veryfast", "Honeypot", "Lumen ip", "Sabey", "Elf:ddos-s\\ [trj]", "Win.trojan.fenomengame-8", "Alf:jasyp:trojandownloader:win32/karagany!atmn", "Webtoolbar", "Alf:jasyp:trojan:win32/adialer", "Cve-2017-0147", "Static ai - malicious pe", "Virus:dos/paris", "Agent tesla", "Trojandropper:win32/muldrop", "Tulach malware", "Nsis", "Hallrender", "Unix.trojan.gafgyt-6981154-0", "Mirai sim swap", "Spaceship", "Win.packed.pincav-7537597-0", "Win32:karagany-d\\ [trj]", "Am", "Rms", "Win.malware.msilperseus-6989564-0", "Trojan:win32/startpage.ss", "Win.trojan.xtoober-650", "Unknown malware \u2018can't access file\u2019", "Win.trojan.ramnit-1847", "Tulach", "Alf:jasyp:trojan:win32/ircbot!atmn", "Et", "Win.trojan.fenomengame-14", "Hacktool" ], "industries": [ "Telecommunications", "Technology", "Financial", "Government", "Irs", "Healthcare", "Finance - insurance sector" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a141c15cfec672ba39e6a17", "name": "S0094 clone credit score blue ", "description": "", "modified": "2026-05-25T10:03:13.774000", "created": "2026-05-25T09:53:25.429000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": "6665d55d941729c5f283b3f7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2951, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17067, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694dc80ac6e7fd5474b316a1", "name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal", "description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |", "modified": "2026-01-24T22:05:13.068000", "created": "2025-12-25T23:26:02.712000", "tags": [ "hash avast", "avg clamav", "msdefender feb", "url http", "url https", "zipcode", "active related", "cage01195 dec", "passports", "ipv4", "active", "irs", "apple", "role title", "indicator role", "malware attacks", "find encrypted", "lumen", "fastly", "create c", "read c", "delete", "write", "default", "medium", "rgba", "dock", "execution", "xport", "united", "passive dns", "urls", "expiration date", "unknown ns", "unknown aaaa", "pulse pulses", "merit", "dod network", "type indicator", "related pulses", "name", "name servers", "ffffff", "ip address", "emails", "object", "clsid6bf52a52", "cookie", "meta", "united kingdom", "germany", "russia", "search", "added active", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "href", "pattern match", "ascii text", "ck id", "mitre att", "ck matrix", "t1071", "general", "local", "path", "iframe", "click", "beginstring", "segoe ui", "null", "refresh", "span", "hybrid", "strings", "error", "tools", "title", "look", "verify", "restart", "data upload", "extraction", "failed", "include data", "entries", "unicode", "high", "memcommit", "next", "flag", "process details", "path expiresthu", "moved", "gmt set", "domain", "httponly path", "encrypt", "leaseweb", "iowa", "title added", "bad traffic", "et info", "tls handshake", "failure", "command decode", "suricata stream", "circle", "f5f8fa", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "suricata http", "windows nt", "date", "ips initial", "prefetch8", "localappdata", "prefetch1", "programfiles", "edge", "access att", "t1566 phishing", "initial access", "show process", "show technique", "process", "t1057", "contacted", "ck techniques", "evasion att", "body", "report spam", "apple", "ddos", "irs created", "hours ago", "white", "apple user", "industries", "government", "finance", "trojandropper", "appleservice", "mirai", "trojan", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "alerts", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "analysis date", "file score", "medium risk", "copy", "richhash", "finding notes", "clamav malware", "files matching", "number", "sample analysis", "samples show", "date hash", "yara rule", "msie", "t1063", "windows", "malware", "detected", "https domain", "tls sni", "markus", "smartassembly", "win64", "exif data", "present dec", "status", "showing", "show", "icmp traffic", "pdb path", "crlf line", "mutex", "ms defender", "mtb malware", "hide samples", "rootkit", "apple webkit", "macbook pro", "apple ios" ], "references": [ "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "64.38.232.180 - Adult Content IP", "www.anyxxxtube.net - Adult Content", "www.anyxxxtube.net - Adult Content IP", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "asp.bet", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "Follow up need. This is a serious financial crime following the victims.", "Victims have lost financial assets, jobs, vehicles", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.Ramnit-1847", "display_name": "Win.Trojan.Ramnit-1847", "target": null }, { "id": "Win.Trojan.Fenomengame-14", "display_name": "Win.Trojan.Fenomengame-14", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Adialer", "display_name": "ALF:JASYP:Trojan:Win32/Adialer", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Financial", "Government", "Technology", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 360, "FileHash-SHA256": 3009, "URL": 3504, "domain": 879, "email": 15, "hostname": 1487, "SSLCertFingerprint": 3 }, "indicator_count": 9620, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "691 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "691 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659864357d1d3185efc5c112", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:01.457000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659864448507cc1752ff6456", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:16.886000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4898fa85cad0af83e032d", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ", "description": "", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-15T01:25:35.060000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "659864448507cc1752ff6456", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65551682899b039e02b8dc8a", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:38.437000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655516871038cbad9eae2bb7", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:43.285000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "facebookconnect.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "facebookconnect.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780274387.3330326 }