{ "type": "Domain", "indicator": "fireeyecloud.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fireeyecloud.com", "alexa": "http://www.alexa.com/siteinfo/fireeyecloud.com", "indicator": "fireeyecloud.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2202368796, "indicator": "fireeyecloud.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6916dc43beba2f3839fd7c36", "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com", "description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix", "modified": "2025-12-14T05:04:31.480000", "created": "2025-11-14T07:37:39.794000", "tags": [ "gmt content", "related tags", "found title", "cache control", "x request", "runtime", "vary", "reverse dns", "ashburn", "resource", "verdict", "address", "read c", "unicode", "high", "memcommit", "delete", "dock", "write", "execution", "next associated", "server response", "port", "destination", "crlf line", "malware", "png image", "rgba", "united states", "medium", "encrypt", "america", "msie", "unknown", "present jan", "name servers", "present oct", "present may", "present mar", "present dec", "present nov", "united", "present apr", "present jun", "urls show", "url hostname", "ip address", "google safe", "results jun", "canada unknown", "passive dns", "canada", "meta name", "robots content", "x ua", "ieedge chrome1", "twitter", "chrome", "urls", "files", "asn as13335", "dns resolutions", "trojan", "trojanspy", "win32", "title", "servers", "unknown ns", "domain", "present aug", "present sep", "files domain", "files related", "none google", "safe browsing", "unknown aaaa", "moved", "cloudfront x", "meta", "ip whois", "registrar", "hostname", "files ip", "ipv4 add", "location united", "america flag", "america asn", "present jul", "virtool", "record value", "dnssec", "meta http", "content", "gmt server", "litespeed x", "present feb", "write c", "as62597 nsone", "as16509", "module load", "t1129", "service", "dynamicloader", "windows", "tofsee", "stream", "hostile", "win64", "delete c", "all ipv4", "url analysis", "status", "error", "aaaa", "ireland unknown", "asn as14618", "backdoor", "a domains", "russia", "mtb nov", "ransom", "displayname", "push", "yara rule", "loaderid", "lidfileupd", "localcfg", "rndhex", "rndchar", "checks", "checks system", "filehash", "av detections", "ids detections", "yara detections", "learn", "command", "adversaries", "ck id", "name tactics", "suspicious", "informative", "spawns", "found", "ssl certificate", "flag", "server", "cloudflare", "csc corporate", "domains", "fireeye", "contacted hosts", "mitre att", "pattern match", "ck matrix", "hybrid", "local", "path", "click", "strings", "foundry", "josht.ca", "paid parking", "parking crews" ], "references": [ "Fireye - FEDNS1.FIREEYE.COM", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://p2d.josht.ca/assets/content-delivery/depots/download", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "https://p2d.josht.ca/api/depots/info/?depot=", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "and our limited information, is Daisy a victim or a crisis actor?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7617, "domain": 1127, "hostname": 3591, "email": 9, "FileHash-SHA256": 1160, "FileHash-MD5": 481, "FileHash-SHA1": 404, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 14403, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ee5e9f8cfc5fbc73142660", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:30:55.471000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ee5ea4d51d4a1cabdb4ee9", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:31:00.172000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85e73efe2e053366ed972", "name": "https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-09-05T06:21:34.047000", "created": "2024-01-30T02:26:59.218000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6145, "URL": 14252, "hostname": 4778, "domain": 6809, "CVE": 3 }, "indicator_count": 32339, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8e4a55f5851279c265c8", "name": "https://www.hallrender.com/attorney/brian-sabey/ Gopher Ransomware ", "description": "", "modified": "2024-02-03T19:04:42.251000", "created": "2024-02-03T19:04:42.251000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b85e73efe2e053366ed972", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85e7056e146f1416eae32", "name": "https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-30T02:26:56.698000", "created": "2024-01-30T02:26:56.698000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "810 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658b74ee93a0b0dc9c960cee", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/", "description": "A report generated by the MITRE ATT&CK\u2122 security team on 26 December 2023 is published on the website of Brian Sabey, the lawyer who brought the UK government to court.", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T00:50:54.481000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658b74f4a6c53cc8e0f70611", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/", "description": "A report generated by the MITRE ATT&CK\u2122 security team on 26 December 2023 is published on the website of Brian Sabey, the lawyer who brought the UK government to court.", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T00:51:00.982000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ca37e41ea135fa35b8832", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/ ", "description": "", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T22:21:50.409000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "http://p2d.josht.ca/assets/content-delivery/depots/download", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "bricked.wtf", "Appears to be closely associated with close relative and initial victim of attack.", "artificial-legal-intelligence.com", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it.", "business-support.intel.com", "Fireye - FEDNS1.FIREEYE.COM", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "http://www.visitbooker.com/Dropbox-07/index.htm", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "http://pl.gov-zaloguj.info", "https://www.journaldev.com/41403/regex", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "https://p2d.josht.ca/api/depots/info/?depot=", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://www.hallrender.com/attorney/brian-sabey/", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "and our limited information, is Daisy a victim or a crisis actor?", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "http://intel.net/.about.html", "http://apple.helptechnicalsupport.com/favicon.ico", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://www.jmtstudios.org/farewell/", "00000000000.cloudfront.net", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party.", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "mobileaccess.intel.com", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "http://api.jmtstudios.org/", "According to accounts she was afraid for her life , found to be safe then took her own life?", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Ransomware", "Gopher", "Mydoom", "Win.malware.convagent-9981433-0", "Njrat", "Ascii exploit", "Formbook", "Upadter" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6916dc43beba2f3839fd7c36", "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com", "description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix", "modified": "2025-12-14T05:04:31.480000", "created": "2025-11-14T07:37:39.794000", "tags": [ "gmt content", "related tags", "found title", "cache control", "x request", "runtime", "vary", "reverse dns", "ashburn", "resource", "verdict", "address", "read c", "unicode", "high", "memcommit", "delete", "dock", "write", "execution", "next associated", "server response", "port", "destination", "crlf line", "malware", "png image", "rgba", "united states", "medium", "encrypt", "america", "msie", "unknown", "present jan", "name servers", "present oct", "present may", "present mar", "present dec", "present nov", "united", "present apr", "present jun", "urls show", "url hostname", "ip address", "google safe", "results jun", "canada unknown", "passive dns", "canada", "meta name", "robots content", "x ua", "ieedge chrome1", "twitter", "chrome", "urls", "files", "asn as13335", "dns resolutions", "trojan", "trojanspy", "win32", "title", "servers", "unknown ns", "domain", "present aug", "present sep", "files domain", "files related", "none google", "safe browsing", "unknown aaaa", "moved", "cloudfront x", "meta", "ip whois", "registrar", "hostname", "files ip", "ipv4 add", "location united", "america flag", "america asn", "present jul", "virtool", "record value", "dnssec", "meta http", "content", "gmt server", "litespeed x", "present feb", "write c", "as62597 nsone", "as16509", "module load", "t1129", "service", "dynamicloader", "windows", "tofsee", "stream", "hostile", "win64", "delete c", "all ipv4", "url analysis", "status", "error", "aaaa", "ireland unknown", "asn as14618", "backdoor", "a domains", "russia", "mtb nov", "ransom", "displayname", "push", "yara rule", "loaderid", "lidfileupd", "localcfg", "rndhex", "rndchar", "checks", "checks system", "filehash", "av detections", "ids detections", "yara detections", "learn", "command", "adversaries", "ck id", "name tactics", "suspicious", "informative", "spawns", "found", "ssl certificate", "flag", "server", "cloudflare", "csc corporate", "domains", "fireeye", "contacted hosts", "mitre att", "pattern match", "ck matrix", "hybrid", "local", "path", "click", "strings", "foundry", "josht.ca", "paid parking", "parking crews" ], "references": [ "Fireye - FEDNS1.FIREEYE.COM", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://p2d.josht.ca/assets/content-delivery/depots/download", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "https://p2d.josht.ca/api/depots/info/?depot=", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "and our limited information, is Daisy a victim or a crisis actor?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7617, "domain": 1127, "hostname": 3591, "email": 9, "FileHash-SHA256": 1160, "FileHash-MD5": 481, "FileHash-SHA1": 404, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 14403, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ee5e9f8cfc5fbc73142660", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:30:55.471000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ee5ea4d51d4a1cabdb4ee9", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:31:00.172000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85e73efe2e053366ed972", "name": "https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-09-05T06:21:34.047000", "created": "2024-01-30T02:26:59.218000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6145, "URL": 14252, "hostname": 4778, "domain": 6809, "CVE": 3 }, "indicator_count": 32339, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8e4a55f5851279c265c8", "name": "https://www.hallrender.com/attorney/brian-sabey/ Gopher Ransomware ", "description": "", "modified": "2024-02-03T19:04:42.251000", "created": "2024-02-03T19:04:42.251000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65b85e73efe2e053366ed972", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85e7056e146f1416eae32", "name": "https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-30T02:26:56.698000", "created": "2024-01-30T02:26:56.698000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "810 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658b74ee93a0b0dc9c960cee", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/", "description": "A report generated by the MITRE ATT&CK\u2122 security team on 26 December 2023 is published on the website of Brian Sabey, the lawyer who brought the UK government to court.", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T00:50:54.481000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658b74f4a6c53cc8e0f70611", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/", "description": "A report generated by the MITRE ATT&CK\u2122 security team on 26 December 2023 is published on the website of Brian Sabey, the lawyer who brought the UK government to court.", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T00:51:00.982000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ca37e41ea135fa35b8832", "name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/ ", "description": "", "modified": "2024-01-26T00:00:39.927000", "created": "2023-12-27T22:21:50.409000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "sample", "ssl certificate", "feeds ioc", "analyze", "whois record", "contacted", "historical ssl", "resolutions", "threat roundup", "referrer", "contacted urls", "august", "execution", "njrat", "ransomware", "gopher", "formbook", "whois ssl", "communicating", "obz4usfn0 url", "cfqirgdhj5 url", "obz4usfn0", "sfqh4dt74w0 url", "cfqirgdhj5", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "mitre att", "file", "ck id", "show technique", "path", "factory", "hybrid", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers date", "gmt connection", "obz4usfn0 http", "cfqirgdhj5 http", "bundled", "dropped", "putty", "february", "july", "whois whois", "malware", "urls", "post", "vj87", "passive dns", "http", "unique", "ukhdaauqaaaaaac", "screenshot", "scan endpoints", "all octoseek", "code" ], "references": [ "https://www.hallrender.com/attorney/brian-sabey/", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "business-support.intel.com", "00000000000.cloudfront.net", "mobileaccess.intel.com", "artificial-legal-intelligence.com", "http://intel.net/.about.html", "http://medlineplus.gov.https.sci-hub.st", "https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098", "http://pl.gov-zaloguj.info", "http://apple.helptechnicalsupport.com/favicon.ico", "https://www.journaldev.com/41403/regex" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Gopher", "display_name": "Gopher", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Ascii Exploit", "display_name": "Ascii Exploit", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "658b74ee93a0b0dc9c960cee", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 168, "FileHash-SHA256": 6027, "URL": 13374, "hostname": 4575, "domain": 6755, "CVE": 3 }, "indicator_count": 31086, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fireeyecloud.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fireeyecloud.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776617112.2717 }