{ "type": "Domain", "indicator": "fileserver.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fileserver.com", "alexa": "http://www.alexa.com/siteinfo/fileserver.com", "indicator": "fileserver.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4124705027, "indicator": "fileserver.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69c227fd2960e96cae88fb97", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-04-23T04:01:31.987000", "created": "2026-03-24T05:58:21.777000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c228009e33309be83b65b7", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-04-23T04:01:31.987000", "created": "2026-03-24T05:58:24.002000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c0a8b94cbf6df8655828d5", "name": "199.191.50.72 ASNONE", "description": "199.191.50.72\nAdd to Pulse\nPulses\n12\nPassive DNS\n500+\nURLs\n10\nFiles\n41K\nAnalysis Overview\nLocation\nVirgin Islands, British flag\nVirgin Islands, British\nASN\nAS40034 confluence networks inc\nDNS Resolutions\n500+ Domains\nTop Level Domains\n42 Unique TLDs\nRelated Pulses\nOTX User-Created Pulses (12)\nRelated Tags\n561 Related Tags\n707713\nransomware\nunited\nsearch\nasnone\nMore\nIndicator Facts\nHistorical OTX telemetry\nIP mentioned on Twitter\n34 domains resolved in last 7 days\n173 domains resolved in last 30 days\n500+ domains resolved in all time\n42 top-level domains\nAntivirus Detections\nALF:E5.SpikeAex.rhh_pid\nALF:HeraklezEval:PUA:Win32/KuaiZip\nALF:HeraklezEval:Trojan:Win32/Eggnog!rfn\nALF:HeraklezEval:Trojan:Win32/Maener!rf\nALF:HeraklezEval:TrojanDownloader:HTML/Adodb\nMore\nAV Detection Ratio\n739\n / 786", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T02:43:05.252000", "tags": [ "msudosos ipv4", "pulse pulses", "passive dns", "urls", "files", "location virgin", "islands", "virgin islands", "british asn", "dns resolutions", "twitter" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 414, "domain": 111, "hostname": 1103, "URL": 485, "FileHash-SHA1": 139, "FileHash-MD5": 138, "email": 2 }, "indicator_count": 2392, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c06ca9341d6c063f652e33", "name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus", "description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.", "modified": "2026-04-21T22:07:35.710000", "created": "2026-03-22T22:26:49.205000", "tags": [ "ransomware", "united", "search", "asnone", "regsetvalueexa", "service", "regdword", "medium", "get na", "malware", "dock", "push", "write", "win32", "playgame", "unknown", "exploit", "cve", "wncry", "wannacry", "passive dns", "urls", "british virgin", "all url", "http", "ip address", "related nids", "files location", "virgin islands", "islands", "bgp", "virgin islands", "hijacked", "data upload", "extraction", "failed", "review iocs", "include ovo", "tovary review", "ids detec", "yara dete", "trior texarag", "drop or", "rrowse", "type", "extra data", "hurricane electric", "p2404", "p11629470400", "p11629107633", "artifacts v", "full reports", "v help", "info", "low l", "high ta0002", "techniques", "t1053", "command", "scripting inte", "low ta0003", "techniques high", "t1053 ite", "modify system", "pl t1543", "boot", "logon autostart", "ex t1547", "checks-disk-space", "checks-network-adapters", "detect-debug-environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules", "get http", "head http", "dns resolutions", "ip traffic", "53 tcp", "tls sni", "apple id", "webdisk", "expiration", "url http", "hostname", "no expiration", "iocs", "url https", "es included", "win32 exe", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1204 user", "defense evasion", "over", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "local", "path", "click", "strings", "javascript", "ssl certificate", "encrypt", "accept", "russia unknown", "meta", "record value", "aaaa", "link", "present jun", "apple", "remote access", "otx logo", "all ipv4", "url analysis", "files", "accept ch", "present dec", "content type", "x pcrew", "name servers", "present may", "body doctype", "title", "all domain", "servers", "china unknown", "found content", "gmt p3p", "cp oti", "dsp cor", "iva our", "ind com", "domain", "cname", "entries", "brian sabey", "hallrender", "christopher ahmann", "t1480 execution", "discovery att", "heur", "virtool", "win64", "mtb win32", "backdoor", "location china", "hangzhou", "china asn", "ransom", "wannadecryptor", "filehash", "yara detections", "msvisualcpp60", "related tags", "none file", "type pexe", "copy", "beginstring", "null", "refresh", "body", "span", "error", "tools", "look", "verify", "restart", "expl", "unknown cname", "hacktool", "domain address", "contacted hosts", "process details", "flag", "ipv4 add", "location united", "america flag", "exploit", "show", "all filehash", "expiration date", "gmt location", "gmt max", "domain add", "elite", "date", "cowboy", "United States", "present feb", "present oct", "creation date", "present nov", "moved", "emails" ], "references": [ "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "Alerts: peid_packer pe_unknown_resource_name", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "findmy.apple-uk.live", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "https://fonts.googleapis.com/css", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "www.remoteaccess.allied-media.com", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "dns17.hichina.com", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "okg.and.googletagmanagers.com", "pcy.and.googletagmanagers.com", "pgj.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "lkp.and.googletagmanagers.com", "jgw.and.googletagmanagers.com", "bzx.and.googletagmanagers.com", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147.A", "display_name": "Exploit:Win32/CVE-2017-0147.A", "target": "/malware/Exploit:Win32/CVE-2017-0147.A" }, { "id": "Trojan/JS.Redirector.QNO", "display_name": "Trojan/JS.Redirector.QNO", "target": null }, { "id": "Win.Trojan.Application-1955.", "display_name": "Win.Trojan.Application-1955.", "target": null }, { "id": "Win32:Banker-LAA\\ [Trj]", "display_name": "Win32:Banker-LAA\\ [Trj]", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win.Trojan.Fugrafa-9733007-0", "display_name": "Win.Trojan.Fugrafa-9733007-0", "target": null }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.VBGeneric-6989114-0", "display_name": "Win.Trojan.VBGeneric-6989114-0", "target": null }, { "id": "VirTool:Win32/VBInject.YA!MTB", "display_name": "VirTool:Win32/VBInject.YA!MTB", "target": "/malware/VirTool:Win32/VBInject.YA!MTB" }, { "id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "target": null }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win32:Dh-A\\", "display_name": "Win32:Dh-A\\", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147.A", "display_name": "Ransom:Win32/CVE-2017-0147.A", "target": "/malware/Ransom:Win32/CVE-2017-0147.A" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Malware.Flystudio-6738927-0", "display_name": "Win.Malware.Flystudio-6738927-0", "target": null }, { "id": "ALF:SpikeAexR.PEVPOPC", "display_name": "ALF:SpikeAexR.PEVPOPC", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" } ], "industries": [ "Government", "Legal", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3779, "FileHash-MD5": 422, "FileHash-SHA1": 411, "FileHash-SHA256": 1824, "domain": 979, "hostname": 2082, "CVE": 1, "BitcoinAddress": 3, "SSLCertFingerprint": 6, "email": 8 }, "indicator_count": 9515, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b93173c291f39a877bf383", "name": "975f860736f9f78bae29bbede1d16461bb91711f", "description": "\"vlad/serge\" im tired of you evading normal detection. tricky one. good game.", "modified": "2026-04-16T11:25:00.458000", "created": "2026-03-17T10:48:19.678000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 211, "FileHash-SHA1": 205, "FileHash-SHA256": 207, "SSLCertFingerprint": 2, "URL": 28, "domain": 189, "hostname": 80, "email": 4 }, "indicator_count": 926, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "dns17.hichina.com", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://deposito.hostance.net/dialer/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Alerts: peid_packer pe_unknown_resource_name", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "bzx.and.googletagmanagers.com", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "IDS Detections: Query for .cc TLD 403 Forbidden", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "www.remoteaccess.allied-media.com", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "We can't connect to the server for this & x Lambda function", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "https://fonts.googleapis.com/css", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "pcy.and.googletagmanagers.com", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "http://remote.edikamin.com/", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "findmy.apple-uk.live", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "pgj.and.googletagmanagers.com", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "The Lambda function associated with the CloudFront distribution was throttled.", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "okg.and.googletagmanagers.com", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "simswap.in (possible Mirai or relationship to)", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "jgw.and.googletagmanagers.com", "lkp.and.googletagmanagers.com", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "prb.and.googletagmanagers.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/startpage.aea", "Warzonerat - s0670", "Win32:evo-gen", "Win32:dh-a\\", "!#addscopy-tostartup", "Win.dropper.darkkomet-9370806-0", "Cve-2023-22518", "Ransom:win32/cve-2017-0147.a", "Alf:heraklezeval:pua:win32/keygen", "Win.ransomware.wannacry-6313787-0", "Virtool:win32/injector.gen!bq", "Ransom:win32/wannacrypt.h", "Banload", "Win. trojan.agent-292909", "Win32:banker-laa\\ [trj]", "Mirai", "Win64:expiro-aj\\ [inf]", "Trojan/js.redirector.qno", "Cve-2017-0147", "Exploit:win32/cve-2017-0147.a", "Win.downloader.14593-1", "Win.ransomware.wanna-9769986-0", "Sf:wncryldr-a\\ [trj]", "Trojan:win32/diamin.f", "Cycbot", "Win.trojan.fugrafa-9733007-0", "#virtool:win32/obfuscator", "Win.trojan.vbgeneric-6989114-0", "Virtool:win32/autinject.cz!bit", "Ransomware", "Win32:cabmod\\ [drp]", "Unix.trojan.mirai-9441505-0", "Win.malware.snojan-6775202-0", "Coolwebsearch", "Win32:evo-gen\\ [trj]", "Backdoor:win32/small.ir", "Win.malware.flystudio-6738927-0", "Win.malware.agent-6598770-0", "Virtool:win32/obfuscator.jm", "Win.trojan.application-1955.", "Win32:trojanx-gen\\ [trj]", "Win32:dh-a\\ [win32:fileinfector-c\\ [heur]", "Dialer", "Win.trojan.agent-316098", "Trojandownloader:win32/banload.d", "Trojan:win32/danginex", "Trojan.startpage-1612", "Alf:spikeaexr.pevpopc", "Trojan.redirector.js", "Win32:malware-gen", "Win.trojan.agent-336291", "Virtool:win32/vbinject.ya!mtb", "Trojandropper:win32/hupigon.gen!a", "Win.trojan.agent-36211", "Trojan.cycbot-2671", "Trojan:win32/bulta!rfn" ], "industries": [ "Healthcare", "Technology", "Legal", "Telecommunications", "Government", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69c227fd2960e96cae88fb97", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-04-23T04:01:31.987000", "created": "2026-03-24T05:58:21.777000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c228009e33309be83b65b7", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-04-23T04:01:31.987000", "created": "2026-03-24T05:58:24.002000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c0a8b94cbf6df8655828d5", "name": "199.191.50.72 ASNONE", "description": "199.191.50.72\nAdd to Pulse\nPulses\n12\nPassive DNS\n500+\nURLs\n10\nFiles\n41K\nAnalysis Overview\nLocation\nVirgin Islands, British flag\nVirgin Islands, British\nASN\nAS40034 confluence networks inc\nDNS Resolutions\n500+ Domains\nTop Level Domains\n42 Unique TLDs\nRelated Pulses\nOTX User-Created Pulses (12)\nRelated Tags\n561 Related Tags\n707713\nransomware\nunited\nsearch\nasnone\nMore\nIndicator Facts\nHistorical OTX telemetry\nIP mentioned on Twitter\n34 domains resolved in last 7 days\n173 domains resolved in last 30 days\n500+ domains resolved in all time\n42 top-level domains\nAntivirus Detections\nALF:E5.SpikeAex.rhh_pid\nALF:HeraklezEval:PUA:Win32/KuaiZip\nALF:HeraklezEval:Trojan:Win32/Eggnog!rfn\nALF:HeraklezEval:Trojan:Win32/Maener!rf\nALF:HeraklezEval:TrojanDownloader:HTML/Adodb\nMore\nAV Detection Ratio\n739\n / 786", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T02:43:05.252000", "tags": [ "msudosos ipv4", "pulse pulses", "passive dns", "urls", "files", "location virgin", "islands", "virgin islands", "british asn", "dns resolutions", "twitter" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 414, "domain": 111, "hostname": 1103, "URL": 485, "FileHash-SHA1": 139, "FileHash-MD5": 138, "email": 2 }, "indicator_count": 2392, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c06ca9341d6c063f652e33", "name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus", "description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.", "modified": "2026-04-21T22:07:35.710000", "created": "2026-03-22T22:26:49.205000", "tags": [ "ransomware", "united", "search", "asnone", "regsetvalueexa", "service", "regdword", "medium", "get na", "malware", "dock", "push", "write", "win32", "playgame", "unknown", "exploit", "cve", "wncry", "wannacry", "passive dns", "urls", "british virgin", "all url", "http", "ip address", "related nids", "files location", "virgin islands", "islands", "bgp", "virgin islands", "hijacked", "data upload", "extraction", "failed", "review iocs", "include ovo", "tovary review", "ids detec", "yara dete", "trior texarag", "drop or", "rrowse", "type", "extra data", "hurricane electric", "p2404", "p11629470400", "p11629107633", "artifacts v", "full reports", "v help", "info", "low l", "high ta0002", "techniques", "t1053", "command", "scripting inte", "low ta0003", "techniques high", "t1053 ite", "modify system", "pl t1543", "boot", "logon autostart", "ex t1547", "checks-disk-space", "checks-network-adapters", "detect-debug-environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules", "get http", "head http", "dns resolutions", "ip traffic", "53 tcp", "tls sni", "apple id", "webdisk", "expiration", "url http", "hostname", "no expiration", "iocs", "url https", "es included", "win32 exe", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1204 user", "defense evasion", "over", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "local", "path", "click", "strings", "javascript", "ssl certificate", "encrypt", "accept", "russia unknown", "meta", "record value", "aaaa", "link", "present jun", "apple", "remote access", "otx logo", "all ipv4", "url analysis", "files", "accept ch", "present dec", "content type", "x pcrew", "name servers", "present may", "body doctype", "title", "all domain", "servers", "china unknown", "found content", "gmt p3p", "cp oti", "dsp cor", "iva our", "ind com", "domain", "cname", "entries", "brian sabey", "hallrender", "christopher ahmann", "t1480 execution", "discovery att", "heur", "virtool", "win64", "mtb win32", "backdoor", "location china", "hangzhou", "china asn", "ransom", "wannadecryptor", "filehash", "yara detections", "msvisualcpp60", "related tags", "none file", "type pexe", "copy", "beginstring", "null", "refresh", "body", "span", "error", "tools", "look", "verify", "restart", "expl", "unknown cname", "hacktool", "domain address", "contacted hosts", "process details", "flag", "ipv4 add", "location united", "america flag", "exploit", "show", "all filehash", "expiration date", "gmt location", "gmt max", "domain add", "elite", "date", "cowboy", "United States", "present feb", "present oct", "creation date", "present nov", "moved", "emails" ], "references": [ "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "Alerts: peid_packer pe_unknown_resource_name", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "findmy.apple-uk.live", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "https://fonts.googleapis.com/css", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "www.remoteaccess.allied-media.com", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "dns17.hichina.com", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "okg.and.googletagmanagers.com", "pcy.and.googletagmanagers.com", "pgj.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "lkp.and.googletagmanagers.com", "jgw.and.googletagmanagers.com", "bzx.and.googletagmanagers.com", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147.A", "display_name": "Exploit:Win32/CVE-2017-0147.A", "target": "/malware/Exploit:Win32/CVE-2017-0147.A" }, { "id": "Trojan/JS.Redirector.QNO", "display_name": "Trojan/JS.Redirector.QNO", "target": null }, { "id": "Win.Trojan.Application-1955.", "display_name": "Win.Trojan.Application-1955.", "target": null }, { "id": "Win32:Banker-LAA\\ [Trj]", "display_name": "Win32:Banker-LAA\\ [Trj]", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win.Trojan.Fugrafa-9733007-0", "display_name": "Win.Trojan.Fugrafa-9733007-0", "target": null }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.VBGeneric-6989114-0", "display_name": "Win.Trojan.VBGeneric-6989114-0", "target": null }, { "id": "VirTool:Win32/VBInject.YA!MTB", "display_name": "VirTool:Win32/VBInject.YA!MTB", "target": "/malware/VirTool:Win32/VBInject.YA!MTB" }, { "id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "target": null }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win32:Dh-A\\", "display_name": "Win32:Dh-A\\", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147.A", "display_name": "Ransom:Win32/CVE-2017-0147.A", "target": "/malware/Ransom:Win32/CVE-2017-0147.A" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Malware.Flystudio-6738927-0", "display_name": "Win.Malware.Flystudio-6738927-0", "target": null }, { "id": "ALF:SpikeAexR.PEVPOPC", "display_name": "ALF:SpikeAexR.PEVPOPC", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" } ], "industries": [ "Government", "Legal", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3779, "FileHash-MD5": 422, "FileHash-SHA1": 411, "FileHash-SHA256": 1824, "domain": 979, "hostname": 2082, "CVE": 1, "BitcoinAddress": 3, "SSLCertFingerprint": 6, "email": 8 }, "indicator_count": 9515, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b93173c291f39a877bf383", "name": "975f860736f9f78bae29bbede1d16461bb91711f", "description": "\"vlad/serge\" im tired of you evading normal detection. tricky one. good game.", "modified": "2026-04-16T11:25:00.458000", "created": "2026-03-17T10:48:19.678000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 211, "FileHash-SHA1": 205, "FileHash-SHA256": 207, "SSLCertFingerprint": 2, "URL": 28, "domain": 189, "hostname": 80, "email": 4 }, "indicator_count": 926, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fileserver.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fileserver.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780315018.9958868 }