{ "type": "Domain", "indicator": "fiverrtool.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fiverrtool.com", "alexa": "http://www.alexa.com/siteinfo/fiverrtool.com", "indicator": "fiverrtool.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3485182711, "indicator": "fiverrtool.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 22, "pulses": [ { "id": "69e1cc70fcbd3f613502e1f7", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T09:28:38.049000", "created": "2026-04-17T06:00:16.867000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 442, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24911, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1cc6fd3c4022e08db781d", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T06:51:33.372000", "created": "2026-04-17T06:00:15.760000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 441, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24910, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692131f725473d708579ec3a", "name": "Drive-by Compromise", "description": "", "modified": "2025-11-22T03:45:59.649000", "created": "2025-11-22T03:45:59.649000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68de7a48636c1d113e6069ff", "name": "911 Call during Remote phone reconfiguration | 3rd Party YouTube | Ransomware", "description": "Tested address. Link based on a 911 call on a known targeted device. Address incorrect but malicious activity found. Hacked device was under an unauthorized reconfiguration over several days. Russian conversion set up, Yandex and a 3rd party YouTube on a device that has never had a YouTube account or any other 3rd party apps.", "modified": "2025-11-01T12:01:18.197000", "created": "2025-10-02T13:12:40.466000", "tags": [ "passive dns", "emails", "servers", "code", "united", "aaaa", "found", "email", "port", "destination", "msie", "windows nt", "wow64", "slcc2", "dock", "write", "execution", "memcommit", "write c", "create c", "delete c", "delete", "april", "trojan", "mtb apr", "ransom", "united states", "hostname", "read c", "users", "win32", "malware", "title", "installer", "america", "password", "injection", "crypt", "zombie", "network", "remote" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "PSW.Generic11", "display_name": "PSW.Generic11", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "win32:Androp", "display_name": "win32:Androp", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "email": 1, "URL": 172, "hostname": 70, "FileHash-MD5": 155, "FileHash-SHA1": 133, "FileHash-SHA256": 258 }, "indicator_count": 841, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678f0dbdbc59dd2ea5656dcf", "name": "Order ", "description": "", "modified": "2025-01-21T03:00:13.071000", "created": "2025-01-21T03:00:13.071000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aclause21", "id": "303913", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f351ce26a103377d8eb5fa", "name": "Sex Tokens | Injection \u00bb Porn dumping - Cyber Folks .PL | Spectrum", "description": "Porn dumping into targeted devices after great effort. \nHall Render has always been a Malware Hosting website.\nDrive by compromise, \nPorn Storm compilation.\n\nhttps://api.dotz.com.br/accounts/api/default/externallogin/login", "modified": "2024-10-24T22:01:13.406000", "created": "2024-09-24T23:57:02.111000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "url http", "porn type", "showing", "entries", "tsara type", "pulses url", "adware backdoor", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "wild fantasy", "world", "download", "xxx video", "xxx sex", "desi", "tamil", "videos xxx", "hd posts", "photos pics", "https", "indicator role", "title added", "active related", "unknown", "united", "for privacy", "nxdomain", "meta", "internet gmbh", "creation date", "date", "audio", "clear hindi", "bhabi sex", "bedroom indian", "fakaid", "ww3008", "fingering her", "young boy", "sexy", "next", "witch", "filehashmd5", "ipv4", "months ago", "information", "scan endpoints", "all scoreblue", "report spam", "created", "modified", "zbot", "keyword", "latina", "teen sex", "jeffrey reimer", "reimer dpt", "jeff reimer sex", "reimer type", "hostname", "domain", "copyright", "remote", "t1003", "os credential", "dumping", "t1012", "t1036", "t1071", "protocol", "t1082", "as8075", "aaaa", "as30148 sucuri", "certificate", "record value", "body", "status", "passive dns", "urls", "hallrender", "brian sabey", "sabey xxx", "drive by compromise", "cobalt strike", "overview ip", "address", "related nids", "files location", "china flag", "china domain", "files related", "pulses none", "files domain", "analyzer paste", "iocs", "hostnames", "urls https", "china unknown", "as4837 china", "redacted for", "a domains", "cname", "jeffrey reimer pt", "sucuri website", "span td", "time", "firewall", "win64", "back", "xtra", "name servers", "files", "tls web", "log id", "gmtn", "false", "ocsp", "ca issuers", "phucket news", "hacking", "registrar abuse", "gateway protocol abuse", "swipper relationship" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1599, "hostname": 2988, "URL": 8561, "FileHash-SHA256": 1207, "email": 41, "FileHash-MD5": 126, "FileHash-SHA1": 36, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 14561, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f31b9a0551ca166c872292", "name": "Drive-by Compromise - Cyber warfare 4K + Unsuspecting potential victims", "description": "Network outage. Severe attack appears to disseminate from Denver, Co Charter Communications /Spectrum Denver - network and devices hacked. Successful at bringing down the network of 4000 + Whitesky clients, remotely sourcing targeted devices, leaking confidential information, phishing, deletng countless files. Most people in homes and building managers are referring to the multi day outage as outage or glitch. Located targeted devices, files encrypted, forced content, dumping & other malicious activity. \n*Cyber Folks .pl\n*https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n|| DDoS:Linux/Gafgyt.YA!MTB\nCVE-2017-17215\nVirus:Win32/Sivis.A\nBackdoor:Win32/Tofsee\nCVE-2014-8361\nCVE-2023-27350\nM1\nMirai\nNIDS\nOneLouder\nRansom\nRansom:Win32/Haperlock\nTEL:CreateScheduledTask ,\nTofsee , Trojan:Win32/Neurevt , Zombie.A ,TrojanSpy ,\nUnix.Trojan.Mirai ,Oxypumper , Qshell , Installcore ,Sarwent", "modified": "2024-10-24T19:00:50.385000", "created": "2024-09-24T20:05:46.785000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7aa9d0ec86cff5b95b64", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-09-12T14:01:56.106000", "created": "2024-08-13T15:24:25.284000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666a6ae5bb437ef87caedb43", "name": "Thor-Lite - ASUS, SG1 & 128 USB - 06.12.24", "description": "Just a thor-lite scan of a sample W11 Asus Device, a backup drive, and a 128 GB US\n-Some false positives (b/c ya know - community edition)\n\n06.12.24: https://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?theme=dark", "modified": "2024-07-13T03:04:07.502000", "created": "2024-06-13T03:43:33.080000", "tags": [ "valhalla", "parrotthor lite", "lite", "kano", "big drive", "scanid", "size1", "company1", "mz created1", "exists1", "desc1", "originalname1", "fri may", "imphash1", "internalname1", "service", "anomaly", "error", "virustotal", "bypass", "score", "procdump", "cobaltstrike", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "body", "powershell", "path", "shellcode", "model", "arch", "hosts", "pass", "powersploit", "powercat", "please", "javascript", "entity", "contains-pe", "contains-elf", "contains-zip", "base64-embedded" ], "references": [ "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/iocs", "https://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?theme=dark", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/graph", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Telecommunications", "Healthcare", "Government", "Education", "contains-embedded-js", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1064, "URL": 105, "CVE": 8, "FileHash-SHA1": 549, "FileHash-SHA256": 567, "domain": 19, "email": 2, "hostname": 77 }, "indicator_count": 2391, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708fa9137ebcc0549ac8d0", "name": "https://take-away.ml/ - interesting - CVE-2021-22941", "description": "", "modified": "2023-12-06T15:13:45.159000", "created": "2023-12-06T15:13:45.159000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 315, "hostname": 91, "URL": 235, "FileHash-MD5": 46, "FileHash-SHA1": 42, "domain": 68, "CVE": 1 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6546d0120a7e479fecffe2b1", "name": "Browser Malware Attack", "description": "Attacking browser to identify researcher.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "modified": "2023-12-04T22:00:43.514000", "created": "2023-11-04T23:13:21.883000", "tags": [ "united", "facebook", "phishtank", "detection list", "ip address", "blacklist", "paypal", "cisco umbrella", "site", "alexa top", "safe site", "million", "malicious url", "malware site", "malicious site", "malware", "name verdict", "falcon sandbox", "reports no", "speci", "efr1", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "et tor", "known tor", "relayrouter", "date", "unknown", "general", "hybrid", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "phishing site", "heur", "cyber threat", "unsafe", "riskware", "phishing", "bank", "service", "artemis", "team", "xtrat", "agent", "xrat", "filetour", "exploit", "conduit", "opencandy", "fusioncore", "orkut", "steam", "genkryptik", "runescape", "presenoker", "ramnit", "msil", "crack", "tofsee", "suppobox", "malicious", "simda", "vawtrak", "hotmail", "generic", "webtoolbar", "hsbc", "maltiverse", "ip summary", "url summary", "summary", "sample", "samples", "count blacklist", "tag count", "downldr", "cleaner", "iframe", "wacatac", "alexa", "win64", "swrort", "installcore", "azorult", "download", "blacknet rat", "stealer", "softcnapp", "nircmd", "unruy", "patcher", "adload", "dropper", "installpack", "tiggre", "gamehack", "trojanspy", "germany http", "attacker", "static engine", "internet storm", "center", "passive dns", "urls", "scan endpoints", "all search", "otx scoreblue", "url http", "pulse pulses", "http", "related nids" ], "references": [ "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "object.prototype.hasownproperty.call", "hasownproperty.call", "a.default.meta.applestore.id", "applestore.id", "http://decafsmob.this.id", "id.google.com", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://git.io/yBU2rg", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "http://tracking.3061331.corn10wuk.club", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "apps.apple.com/us/app/id$", "t.name", "http://e.id?e.id:e.id.getAttribute", "location.search", "https://dnsorangetel.dn2.n-helix.com", "1080p-torrent.ml", "states.app", "dev-2.ernestatech.com", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "209.85.145.113 [malware]", "cdn.fuckporntube.com", "www.search.app.goo.gl", "apps.apple.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "globalworker1.sol.us", "worker-m-tlcus1.sol.us" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Ireland", "Singapore" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1015, "hostname": 1309, "FileHash-MD5": 466, "FileHash-SHA1": 255, "FileHash-SHA256": 3783, "URL": 4001, "CVE": 9, "email": 3 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "866 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6546cf78627adef6562a97aa", "name": "Browser Malware Attack", "description": "Attacking my browser to identify.\nCommand for critical failure/destruction: https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "modified": "2023-12-04T22:00:43.514000", "created": "2023-11-04T23:10:48.676000", "tags": [ "united", "facebook", "phishtank", "detection list", "ip address", "blacklist", "paypal", "cisco umbrella", "site", "alexa top", "safe site", "million", "malicious url", "malware site", "malicious site", "malware", "name verdict", "falcon sandbox", "reports no", "speci", "efr1", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "et tor", "known tor", "relayrouter", "date", "unknown", "general", "hybrid", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "phishing site", "heur", "cyber threat", "unsafe", "riskware", "phishing", "bank", "service", "artemis", "team", "xtrat", "agent", "xrat", "filetour", "exploit", "conduit", "opencandy", "fusioncore", "orkut", "steam", "genkryptik", "runescape", "presenoker", "ramnit", "msil", "crack", "tofsee", "suppobox", "malicious", "simda", "vawtrak", "hotmail", "generic", "webtoolbar", "hsbc", "maltiverse", "ip summary", "url summary", "summary", "sample", "samples", "count blacklist", "tag count", "downldr", "cleaner", "iframe", "wacatac", "alexa", "win64", "swrort", "installcore", "azorult", "download", "blacknet rat", "stealer", "softcnapp", "nircmd", "unruy", "patcher", "adload", "dropper", "installpack", "tiggre", "gamehack", "trojanspy", "germany http", "attacker", "static engine", "internet storm", "center", "passive dns", "urls", "scan endpoints", "all search", "otx scoreblue", "url http", "pulse pulses", "http", "related nids" ], "references": [ "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "object.prototype.hasownproperty.call", "hasownproperty.call", "a.default.meta.applestore.id", "applestore.id", "http://decafsmob.this.id", "id.google.com", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://git.io/yBU2rg", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "http://tracking.3061331.corn10wuk.club", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "apps.apple.com/us/app/id$", "t.name", "http://e.id?e.id:e.id.getAttribute", "location.search", "https://dnsorangetel.dn2.n-helix.com", "1080p-torrent.ml", "states.app", "dev-2.ernestatech.com", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "209.85.145.113 [malware]", "cdn.fuckporntube.com", "www.search.app.goo.gl", "apps.apple.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "globalworker1.sol.us", "worker-m-tlcus1.sol.us" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Ireland", "Singapore" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1015, "hostname": 1309, "FileHash-MD5": 466, "FileHash-SHA1": 255, "FileHash-SHA256": 3783, "URL": 4001, "CVE": 9, "email": 3 }, "indicator_count": 10841, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "866 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f09785f9ee8aebca2a667", "name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration", "description": "", "modified": "2023-11-26T14:04:04.692000", "created": "2023-10-30T01:40:08.022000", "tags": [ "ssl certificate", "historical ssl", "resolutions", "referrer", "collections", "contacted", "efr1", "parent domain", "amazon 02", "metro", "crypto", "cisco umbrella", "site", "safe site", "heur", "malware", "alexa top", "million", "malicious url", "malware site", "malicious site", "opencandy", "riskware", "unsafe", "phishing", "zbot", "team", "exploit", "agent", "mimikatz", "azorult", "service", "runescape", "facebook", "bank", "download", "downldr", "presenoker", "fusioncore", "cleaner", "wacatac", "artemis", "blacknet rat", "stealer", "trojanspy", "blacklist https", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag count", "tsara brashears", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "whois record", "contacted urls", "siblings domain", "execution", "goldmax", "goldfinder", "sibot", "emotet", "united", "phishing site", "maltiverse", "adware", "phishtank", "xtrat", "xrat", "redline stealer", "xtreme", "crack", "genkryptik", "deepscan", "win64", "quasar rat", "fareit", "downloader", "trojan", "alexa", "iframe", "cve201711882", "phish", "genpack", "suspicious", "magazine", "applicunwnt", "cobalt strike", "malicious", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "ascii text", "mitre att", "ck id", "date", "unknown", "hybrid", "accept", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "pmejdjsu12", "Royal Bank of Scotland", "Phishing Bank of America Corporation", "Phishing Netflix", "Phishing Wells Fargo", "Phishing RuneScape", "Phishing Internal Revenue Service", "Phtarget unspecified phishing", "PAYPAL phishing", "Phishing Indeed", "Phishing eBay, Inc", "PhisSafe", "mobigame", "Phishing Facebook", "remote", "mitm", "tower", "worm", "firm", "privilege", "attacker", "monitoring", "cyber threat", "apple", "illegal", "DNS_PROBE_STARTED", "insurance", "revenge", "legal entities", "https://boxofporn.com" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan.Hotkeychick", "display_name": "Trojan.Hotkeychick", "target": null }, { "id": "CVE Exploits", "display_name": "CVE Exploits", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Virus.Sality", "display_name": "Virus.Sality", "target": null }, { "id": "W32.Malware", "display_name": "W32.Malware", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "Trojan.OTNR", "display_name": "Trojan.OTNR", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "Downloader.OpenCandy", "display_name": "Downloader.OpenCandy", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "GoogleToolbar", "display_name": "GoogleToolbar", "target": null }, { "id": "BScope.Adware.MSIL", "display_name": "BScope.Adware.MSIL", "target": null }, { "id": "Application.Auslogics", "display_name": "Application.Auslogics", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Gen:Variant.Application.Bundler.DownloadGuide", "display_name": "Gen:Variant.Application.Bundler.DownloadGuide", "target": null }, { "id": "Trojan:Win32/Xtrat", "display_name": "Trojan:Win32/Xtrat", "target": "/malware/Trojan:Win32/Xtrat" }, { "id": "Xtreme RAT", "display_name": "Xtreme RAT", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null }, { "id": "AGEN.1045143", "display_name": "AGEN.1045143", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Packed.Themida", "display_name": "Packed.Themida", "target": null }, { "id": "MSIL_Bladabindi.G.gen", "display_name": "MSIL_Bladabindi.G.gen", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Unsafe.AI_Score_95% 2", "display_name": "Unsafe.AI_Score_95% 2", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "JS:Trojan.HideLink 2", "display_name": "JS:Trojan.HideLink 2", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Application.BitCoinMiner", "display_name": "Application.BitCoinMiner", "target": null }, { "id": "WebToolbar.Asparnet", "display_name": "WebToolbar.Asparnet", "target": null }, { "id": "W32.HfsAutoB", "display_name": "W32.HfsAutoB", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Application.Deceptor", "display_name": "Application.Deceptor", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "HEUR:Hoax.PCFixer", "display_name": "HEUR:Hoax.PCFixer", "target": null }, { "id": "Gen:Variant.Jacard", "display_name": "Gen:Variant.Jacard", "target": null }, { "id": "Tool.Patcher", "display_name": "Tool.Patcher", "target": null }, { "id": "Trojan.Khalesi 2\tAdware 2", "display_name": "Trojan.Khalesi 2\tAdware 2", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Unsafe.AI_Score_94%", "display_name": "Unsafe.AI_Score_94%", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Warezov.gen3", "display_name": "Warezov.gen3", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Nemucod.21C8", "display_name": "Nemucod.21C8", "target": null }, { "id": "Asparnet.P", "display_name": "Asparnet.P", "target": null }, { "id": "InstallCore.Gen7", "display_name": "InstallCore.Gen7", "target": null }, { "id": "CsQKHtaAI", "display_name": "CsQKHtaAI", "target": null }, { "id": "Clicker.VB", "display_name": "Clicker.VB", "target": null }, { "id": "Exploit.Zip.Heuristic", "display_name": "Exploit.Zip.Heuristic", "target": null }, { "id": "Trojan.Ransom.GandCrab", "display_name": "Trojan.Ransom.GandCrab", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "ScrInject.eric", "display_name": "ScrInject.eric", "target": null }, { "id": "HEUR:Trojan.Diztakun", "display_name": "HEUR:Trojan.Diztakun", "target": null }, { "id": "Agent.OCJ", "display_name": "Agent.OCJ", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "Hacktool.Crack", "display_name": "Hacktool.Crack", "target": null }, { "id": "Backdoor.DTR.15", "display_name": "Backdoor.DTR.15", "target": null }, { "id": "Freemake.A potentially unwanted", "display_name": "Freemake.A potentially unwanted", "target": null }, { "id": "Absolute Uninstaller", "display_name": "Absolute Uninstaller", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "Trojan.Small", "display_name": "Trojan.Small", "target": null }, { "id": "HackTool.Crack", "display_name": "HackTool.Crack", "target": null }, { "id": "Generic.Application.JS.Sobrab.1", "display_name": "Generic.Application.JS.Sobrab.1", "target": null }, { "id": "Trojan.Rozena", "display_name": "Trojan.Rozena", "target": null }, { "id": "Trojan.Downloader", "display_name": "Trojan.Downloader", "target": null }, { "id": "Trojan.Bayrob", "display_name": "Trojan.Bayrob", "target": null }, { "id": "Adware.OxyPumper", "display_name": "Adware.OxyPumper", "target": null }, { "id": "Worm.Chir", "display_name": "Worm.Chir", "target": null }, { "id": "Trojan.Linux.Generic", "display_name": "Trojan.Linux.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Heur.BZC.YAX.Boxter.819", "display_name": "Heur.BZC.YAX.Boxter.819", "target": null }, { "id": "Faceliker.D", "display_name": "Faceliker.D", "target": null }, { "id": "Adware", "display_name": "Adware", "target": null }, { "id": "DeepScan:Generic.BrResMon.1", "display_name": "DeepScan:Generic.BrResMon.1", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "Trojan.Brsecmon", "display_name": "Trojan.Brsecmon", "target": null }, { "id": "SigRiskware.LespeedTechnologyLtd", "display_name": "SigRiskware.LespeedTechnologyLtd", "target": null }, { "id": "Doplik.J", "display_name": "Doplik.J", "target": null }, { "id": "Backdoor.Nhopro", "display_name": "Backdoor.Nhopro", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "Gen:NN.ZemsilF.32515", "display_name": "Gen:NN.ZemsilF.32515", "target": null }, { "id": "Downware", "display_name": "Downware", "target": null }, { "id": "MxResIcn.Heur", "display_name": "MxResIcn.Heur", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "Magazine phishing", "display_name": "Magazine phishing", "target": null }, { "id": "ApplicUnwnt@#2n6\tIRS", "display_name": "ApplicUnwnt@#2n6\tIRS", "target": null }, { "id": "TEL:Trojan:HTML/Phishing", "display_name": "TEL:Trojan:HTML/Phishing", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Trojan.GandCrypt", "display_name": "Trojan.GandCrypt", "target": null }, { "id": "Redirector.AN", "display_name": "Redirector.AN", "target": null }, { "id": "Agent.CUX.gen", "display_name": "Agent.CUX.gen", "target": null }, { "id": "Gen:Variant.Application.Bundler", "display_name": "Gen:Variant.Application.Bundler", "target": null }, { "id": "Downloader.Generic", "display_name": "Downloader.Generic", "target": null }, { "id": "Trojan.ClipBanker", "display_name": "Trojan.ClipBanker", "target": null }, { "id": "TrojanDropper.Autit", "display_name": "TrojanDropper.Autit", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "QVM05.1.08E5.Malware", "display_name": "QVM05.1.08E5.Malware", "target": null }, { "id": "Trojan.CookiesStealer", "display_name": "Trojan.CookiesStealer", "target": null }, { "id": "Agent.MU", "display_name": "Agent.MU", "target": null }, { "id": "Wacatac.B", "display_name": "Wacatac.B", "target": null }, { "id": "Dropper.Gen", "display_name": "Dropper.Gen", "target": null }, { "id": "WiseCleaner.A potentially unwanted", "display_name": "WiseCleaner.A potentially unwanted", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Gen:NN.ZemsilF.34170", "display_name": "Gen:NN.ZemsilF.34170", "target": null }, { "id": "Gen:Variant.MSILHeracles", "display_name": "Gen:Variant.MSILHeracles", "target": null }, { "id": "Trojan.DownLoader33", "display_name": "Trojan.DownLoader33", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Program.Freemake", "display_name": "Program.Freemake", "target": null }, { "id": "Kryptik.dawvk", "display_name": "Kryptik.dawvk", "target": null }, { "id": "AdwareSig [Adw]", "display_name": "AdwareSig [Adw]", "target": null }, { "id": "Phishing JPMorgan Chase and Co.", "display_name": "Phishing JPMorgan Chase and Co.", "target": null }, { "id": "Adware.BrowseFoxCRTD", "display_name": "Adware.BrowseFoxCRTD", "target": null }, { "id": "Suspici.1F4405D1", "display_name": "Suspici.1F4405D1", "target": null }, { "id": "PUA.Wombat", "display_name": "PUA.Wombat", "target": null }, { "id": "AdWare.DealPly", "display_name": "AdWare.DealPly", "target": null }, { "id": "Injector.CUAM", "display_name": "Injector.CUAM", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "Troj_Gen.F04IE00CI19", "display_name": "Troj_Gen.F04IE00CI19", "target": null }, { "id": "Worm.Autorun", "display_name": "Worm.Autorun", "target": null }, { "id": "Worm.Boychi", "display_name": "Worm.Boychi", "target": null }, { "id": "Worm.Allaple", "display_name": "Worm.Allaple", "target": null }, { "id": "CVE-2014-3153", "display_name": "CVE-2014-3153", "target": null }, { "id": "BehavesLike.ICLoader", "display_name": "BehavesLike.ICLoader", "target": null }, { "id": "BScope.Backdoor", "display_name": "BScope.Backdoor", "target": null }, { "id": "Trojan.WIN32.PDF.Alien", "display_name": "Trojan.WIN32.PDF.Alien", "target": null }, { "id": "PUP.Systweak", "display_name": "PUP.Systweak", "target": null }, { "id": "Sabsik.FL.B", "display_name": "Sabsik.FL.B", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Gen:Variant.Tedy HackTool.VulnDriver", "display_name": "Gen:Variant.Tedy HackTool.VulnDriver", "target": null }, { "id": "Backdoor.Predator", "display_name": "Backdoor.Predator", "target": null }, { "id": "Kryptik.GKQR", "display_name": "Kryptik.GKQR", "target": null }, { "id": "DarkKomet.ife", "display_name": "DarkKomet.ife", "target": null }, { "id": "BehavesLike.Downloader", "display_name": "BehavesLike.Downloader", "target": null }, { "id": "Trojan.JS.Iframe", "display_name": "Trojan.JS.Iframe", "target": null }, { "id": "InstallCore.NP", "display_name": "InstallCore.NP", "target": null }, { "id": "Generic.JS.BlackHole", "display_name": "Generic.JS.BlackHole", "target": null }, { "id": "Dropper.Wanna", "display_name": "Dropper.Wanna", "target": null }, { "id": "Remote Utilities", "display_name": "Remote Utilities", "target": null }, { "id": "W32.InstallCore.AGX", "display_name": "W32.InstallCore.AGX", "target": null }, { "id": "NetTool.RemoteExec", "display_name": "NetTool.RemoteExec", "target": null }, { "id": "Bondat.A", "display_name": "Bondat.A", "target": null }, { "id": "VM201.0.B70B.Malware", "display_name": "VM201.0.B70B.Malware", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "Infected.WebPage", "display_name": "Infected.WebPage", "target": null }, { "id": "HEUR:Exploit.Script", "display_name": "HEUR:Exploit.Script", "target": null }, { "id": "BScope.TrojanDownloader", "display_name": "BScope.TrojanDownloader", "target": null }, { "id": "HTML:RedirBA", "display_name": "HTML:RedirBA", "target": null }, { "id": "Trojan.BAT.Qhost", "display_name": "Trojan.BAT.Qhost", "target": null }, { "id": "HTML:RedirME", "display_name": "HTML:RedirME", "target": null }, { "id": "TrojWare.JS.AdWare.Agent", "display_name": "TrojWare.JS.AdWare.Agent", "target": null }, { "id": "Packed.Dico", "display_name": "Packed.Dico", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1602.001", "name": "SNMP (MIB Dump)", "display_name": "T1602.001 - SNMP (MIB Dump)" } ], "industries": [], "TLP": "white", "cloned_from": "653bf3b076e4dbcd0c099992", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1695, "FileHash-SHA1": 756, "FileHash-SHA256": 2029, "domain": 290, "URL": 1854, "hostname": 568, "CVE": 5 }, "indicator_count": 7197, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "875 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653bf3b076e4dbcd0c099992", "name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration", "description": "DeepScan run (absolute overkill). I witnessed excessive data use, device is completely practically unusable, many black pages, denial of most services. CNC. Browser bar became a malicious app that returns 0 searches. Attack directed towards my devices.\nNo stone left unturned. Passwords taken. Apps installed to device Covered can on device takes pictures/flash at will. Evasive. Very talented hackers. \nBravo! Very intrusive. Constantly attacking.\nTarget: Tsara Brashears and researcher", "modified": "2023-11-26T14:04:04.692000", "created": "2023-10-27T17:30:24.926000", "tags": [ "ssl certificate", "historical ssl", "resolutions", "referrer", "collections", "contacted", "efr1", "parent domain", "amazon 02", "metro", "crypto", "cisco umbrella", "site", "safe site", "heur", "malware", "alexa top", "million", "malicious url", "malware site", "malicious site", "opencandy", "riskware", "unsafe", "phishing", "zbot", "team", "exploit", "agent", "mimikatz", "azorult", "service", "runescape", "facebook", "bank", "download", "downldr", "presenoker", "fusioncore", "cleaner", "wacatac", "artemis", "blacknet rat", "stealer", "trojanspy", "blacklist https", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag count", "tsara brashears", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "whois record", "contacted urls", "siblings domain", "execution", "goldmax", "goldfinder", "sibot", "emotet", "united", "phishing site", "maltiverse", "adware", "phishtank", "xtrat", "xrat", "redline stealer", "xtreme", "crack", "genkryptik", "deepscan", "win64", "quasar rat", "fareit", "downloader", "trojan", "alexa", "iframe", "cve201711882", "phish", "genpack", "suspicious", "magazine", "applicunwnt", "cobalt strike", "malicious", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "ascii text", "mitre att", "ck id", "date", "unknown", "hybrid", "accept", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "pmejdjsu12", "Royal Bank of Scotland", "Phishing Bank of America Corporation", "Phishing Netflix", "Phishing Wells Fargo", "Phishing RuneScape", "Phishing Internal Revenue Service", "Phtarget unspecified phishing", "PAYPAL phishing", "Phishing Indeed", "Phishing eBay, Inc", "PhisSafe", "mobigame", "Phishing Facebook", "remote", "mitm", "tower", "worm", "firm", "privilege", "attacker", "monitoring", "cyber threat", "apple", "illegal", "DNS_PROBE_STARTED", "insurance", "revenge", "legal entities", "https://boxofporn.com" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan.Hotkeychick", "display_name": "Trojan.Hotkeychick", "target": null }, { "id": "CVE Exploits", "display_name": "CVE Exploits", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Virus.Sality", "display_name": "Virus.Sality", "target": null }, { "id": "W32.Malware", "display_name": "W32.Malware", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "Trojan.OTNR", "display_name": "Trojan.OTNR", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "Downloader.OpenCandy", "display_name": "Downloader.OpenCandy", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "GoogleToolbar", "display_name": "GoogleToolbar", "target": null }, { "id": "BScope.Adware.MSIL", "display_name": "BScope.Adware.MSIL", "target": null }, { "id": "Application.Auslogics", "display_name": "Application.Auslogics", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Gen:Variant.Application.Bundler.DownloadGuide", "display_name": "Gen:Variant.Application.Bundler.DownloadGuide", "target": null }, { "id": "Trojan:Win32/Xtrat", "display_name": "Trojan:Win32/Xtrat", "target": "/malware/Trojan:Win32/Xtrat" }, { "id": "Xtreme RAT", "display_name": "Xtreme RAT", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null }, { "id": "AGEN.1045143", "display_name": "AGEN.1045143", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Packed.Themida", "display_name": "Packed.Themida", "target": null }, { "id": "MSIL_Bladabindi.G.gen", "display_name": "MSIL_Bladabindi.G.gen", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Unsafe.AI_Score_95% 2", "display_name": "Unsafe.AI_Score_95% 2", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "JS:Trojan.HideLink 2", "display_name": "JS:Trojan.HideLink 2", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Application.BitCoinMiner", "display_name": "Application.BitCoinMiner", "target": null }, { "id": "WebToolbar.Asparnet", "display_name": "WebToolbar.Asparnet", "target": null }, { "id": "W32.HfsAutoB", "display_name": "W32.HfsAutoB", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Application.Deceptor", "display_name": "Application.Deceptor", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "HEUR:Hoax.PCFixer", "display_name": "HEUR:Hoax.PCFixer", "target": null }, { "id": "Gen:Variant.Jacard", "display_name": "Gen:Variant.Jacard", "target": null }, { "id": "Tool.Patcher", "display_name": "Tool.Patcher", "target": null }, { "id": "Trojan.Khalesi 2\tAdware 2", "display_name": "Trojan.Khalesi 2\tAdware 2", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Unsafe.AI_Score_94%", "display_name": "Unsafe.AI_Score_94%", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Warezov.gen3", "display_name": "Warezov.gen3", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Nemucod.21C8", "display_name": "Nemucod.21C8", "target": null }, { "id": "Asparnet.P", "display_name": "Asparnet.P", "target": null }, { "id": "InstallCore.Gen7", "display_name": "InstallCore.Gen7", "target": null }, { "id": "CsQKHtaAI", "display_name": "CsQKHtaAI", "target": null }, { "id": "Clicker.VB", "display_name": "Clicker.VB", "target": null }, { "id": "Exploit.Zip.Heuristic", "display_name": "Exploit.Zip.Heuristic", "target": null }, { "id": "Trojan.Ransom.GandCrab", "display_name": "Trojan.Ransom.GandCrab", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "ScrInject.eric", "display_name": "ScrInject.eric", "target": null }, { "id": "HEUR:Trojan.Diztakun", "display_name": "HEUR:Trojan.Diztakun", "target": null }, { "id": "Agent.OCJ", "display_name": "Agent.OCJ", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "Hacktool.Crack", "display_name": "Hacktool.Crack", "target": null }, { "id": "Backdoor.DTR.15", "display_name": "Backdoor.DTR.15", "target": null }, { "id": "Freemake.A potentially unwanted", "display_name": "Freemake.A potentially unwanted", "target": null }, { "id": "Absolute Uninstaller", "display_name": "Absolute Uninstaller", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "Trojan.Small", "display_name": "Trojan.Small", "target": null }, { "id": "HackTool.Crack", "display_name": "HackTool.Crack", "target": null }, { "id": "Generic.Application.JS.Sobrab.1", "display_name": "Generic.Application.JS.Sobrab.1", "target": null }, { "id": "Trojan.Rozena", "display_name": "Trojan.Rozena", "target": null }, { "id": "Trojan.Downloader", "display_name": "Trojan.Downloader", "target": null }, { "id": "Trojan.Bayrob", "display_name": "Trojan.Bayrob", "target": null }, { "id": "Adware.OxyPumper", "display_name": "Adware.OxyPumper", "target": null }, { "id": "Worm.Chir", "display_name": "Worm.Chir", "target": null }, { "id": "Trojan.Linux.Generic", "display_name": "Trojan.Linux.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Heur.BZC.YAX.Boxter.819", "display_name": "Heur.BZC.YAX.Boxter.819", "target": null }, { "id": "Faceliker.D", "display_name": "Faceliker.D", "target": null }, { "id": "Adware", "display_name": "Adware", "target": null }, { "id": "DeepScan:Generic.BrResMon.1", "display_name": "DeepScan:Generic.BrResMon.1", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "Trojan.Brsecmon", "display_name": "Trojan.Brsecmon", "target": null }, { "id": "SigRiskware.LespeedTechnologyLtd", "display_name": "SigRiskware.LespeedTechnologyLtd", "target": null }, { "id": "Doplik.J", "display_name": "Doplik.J", "target": null }, { "id": "Backdoor.Nhopro", "display_name": "Backdoor.Nhopro", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "Gen:NN.ZemsilF.32515", "display_name": "Gen:NN.ZemsilF.32515", "target": null }, { "id": "Downware", "display_name": "Downware", "target": null }, { "id": "MxResIcn.Heur", "display_name": "MxResIcn.Heur", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "Magazine phishing", "display_name": "Magazine phishing", "target": null }, { "id": "ApplicUnwnt@#2n6\tIRS", "display_name": "ApplicUnwnt@#2n6\tIRS", "target": null }, { "id": "TEL:Trojan:HTML/Phishing", "display_name": "TEL:Trojan:HTML/Phishing", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Trojan.GandCrypt", "display_name": "Trojan.GandCrypt", "target": null }, { "id": "Redirector.AN", "display_name": "Redirector.AN", "target": null }, { "id": "Agent.CUX.gen", "display_name": "Agent.CUX.gen", "target": null }, { "id": "Gen:Variant.Application.Bundler", "display_name": "Gen:Variant.Application.Bundler", "target": null }, { "id": "Downloader.Generic", "display_name": "Downloader.Generic", "target": null }, { "id": "Trojan.ClipBanker", "display_name": "Trojan.ClipBanker", "target": null }, { "id": "TrojanDropper.Autit", "display_name": "TrojanDropper.Autit", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "QVM05.1.08E5.Malware", "display_name": "QVM05.1.08E5.Malware", "target": null }, { "id": "Trojan.CookiesStealer", "display_name": "Trojan.CookiesStealer", "target": null }, { "id": "Agent.MU", "display_name": "Agent.MU", "target": null }, { "id": "Wacatac.B", "display_name": "Wacatac.B", "target": null }, { "id": "Dropper.Gen", "display_name": "Dropper.Gen", "target": null }, { "id": "WiseCleaner.A potentially unwanted", "display_name": "WiseCleaner.A potentially unwanted", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Gen:NN.ZemsilF.34170", "display_name": "Gen:NN.ZemsilF.34170", "target": null }, { "id": "Gen:Variant.MSILHeracles", "display_name": "Gen:Variant.MSILHeracles", "target": null }, { "id": "Trojan.DownLoader33", "display_name": "Trojan.DownLoader33", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Program.Freemake", "display_name": "Program.Freemake", "target": null }, { "id": "Kryptik.dawvk", "display_name": "Kryptik.dawvk", "target": null }, { "id": "AdwareSig [Adw]", "display_name": "AdwareSig [Adw]", "target": null }, { "id": "Phishing JPMorgan Chase and Co.", "display_name": "Phishing JPMorgan Chase and Co.", "target": null }, { "id": "Adware.BrowseFoxCRTD", "display_name": "Adware.BrowseFoxCRTD", "target": null }, { "id": "Suspici.1F4405D1", "display_name": "Suspici.1F4405D1", "target": null }, { "id": "PUA.Wombat", "display_name": "PUA.Wombat", "target": null }, { "id": "AdWare.DealPly", "display_name": "AdWare.DealPly", "target": null }, { "id": "Injector.CUAM", "display_name": "Injector.CUAM", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "Troj_Gen.F04IE00CI19", "display_name": "Troj_Gen.F04IE00CI19", "target": null }, { "id": "Worm.Autorun", "display_name": "Worm.Autorun", "target": null }, { "id": "Worm.Boychi", "display_name": "Worm.Boychi", "target": null }, { "id": "Worm.Allaple", "display_name": "Worm.Allaple", "target": null }, { "id": "CVE-2014-3153", "display_name": "CVE-2014-3153", "target": null }, { "id": "BehavesLike.ICLoader", "display_name": "BehavesLike.ICLoader", "target": null }, { "id": "BScope.Backdoor", "display_name": "BScope.Backdoor", "target": null }, { "id": "Trojan.WIN32.PDF.Alien", "display_name": "Trojan.WIN32.PDF.Alien", "target": null }, { "id": "PUP.Systweak", "display_name": "PUP.Systweak", "target": null }, { "id": "Sabsik.FL.B", "display_name": "Sabsik.FL.B", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Gen:Variant.Tedy HackTool.VulnDriver", "display_name": "Gen:Variant.Tedy HackTool.VulnDriver", "target": null }, { "id": "Backdoor.Predator", "display_name": "Backdoor.Predator", "target": null }, { "id": "Kryptik.GKQR", "display_name": "Kryptik.GKQR", "target": null }, { "id": "DarkKomet.ife", "display_name": "DarkKomet.ife", "target": null }, { "id": "BehavesLike.Downloader", "display_name": "BehavesLike.Downloader", "target": null }, { "id": "Trojan.JS.Iframe", "display_name": "Trojan.JS.Iframe", "target": null }, { "id": "InstallCore.NP", "display_name": "InstallCore.NP", "target": null }, { "id": "Generic.JS.BlackHole", "display_name": "Generic.JS.BlackHole", "target": null }, { "id": "Dropper.Wanna", "display_name": "Dropper.Wanna", "target": null }, { "id": "Remote Utilities", "display_name": "Remote Utilities", "target": null }, { "id": "W32.InstallCore.AGX", "display_name": "W32.InstallCore.AGX", "target": null }, { "id": "NetTool.RemoteExec", "display_name": "NetTool.RemoteExec", "target": null }, { "id": "Bondat.A", "display_name": "Bondat.A", "target": null }, { "id": "VM201.0.B70B.Malware", "display_name": "VM201.0.B70B.Malware", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "Infected.WebPage", "display_name": "Infected.WebPage", "target": null }, { "id": "HEUR:Exploit.Script", "display_name": "HEUR:Exploit.Script", "target": null }, { "id": "BScope.TrojanDownloader", "display_name": "BScope.TrojanDownloader", "target": null }, { "id": "HTML:RedirBA", "display_name": "HTML:RedirBA", "target": null }, { "id": "Trojan.BAT.Qhost", "display_name": "Trojan.BAT.Qhost", "target": null }, { "id": "HTML:RedirME", "display_name": "HTML:RedirME", "target": null }, { "id": "TrojWare.JS.AdWare.Agent", "display_name": "TrojWare.JS.AdWare.Agent", "target": null }, { "id": "Packed.Dico", "display_name": "Packed.Dico", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1602.001", "name": "SNMP (MIB Dump)", "display_name": "T1602.001 - SNMP (MIB Dump)" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1695, "FileHash-SHA1": 756, "FileHash-SHA256": 2029, "domain": 290, "URL": 1854, "hostname": 568, "CVE": 5 }, "indicator_count": 7197, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "875 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b45735fa485bf26a3b666a", "name": "https://take-away.ml/ - interesting - CVE-2021-22941", "description": "", "modified": "2022-07-23T00:04:41.726000", "created": "2022-06-23T12:06:13.537000", "tags": [ "CVE-2021-22941" ], "references": [ "Found decrypted SSL traffic details \"GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: take-away.ml DNT: 1 Connection: Keep-Alive\"- [Source: SSL_145.14.145.152] \"HTTP/1.1 410 Gone Date: Sun, 12 Jun 2022 13:42:10 GMT Content-Type: text/html Content-Length: 16922 Connection: keep-alive ETag: \"5f8d84ab-421a\" Server: awex X-Xss-Protection: 1; mode=block X-Content-Type", "https://hybrid-analysis.com/sample/b1ff0635f1ca2a949dff4616ec2fc455872bc1e6a181e19b3b34461a21fc5304/62a5ec9f239e4f04ec28cf81" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 91, "URL": 235, "FileHash-SHA256": 315, "domain": 68, "CVE": 1, "FileHash-MD5": 46, "FileHash-SHA1": 42 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Found decrypted SSL traffic details \"GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: take-away.ml DNT: 1 Connection: Keep-Alive\"- [Source: SSL_145.14.145.152] \"HTTP/1.1 410 Gone Date: Sun, 12 Jun 2022 13:42:10 GMT Content-Type: text/html Content-Length: 16922 Connection: keep-alive ETag: \"5f8d84ab-421a\" Server: awex X-Xss-Protection: 1; mode=block X-Content-Type", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Large DNS Query possible covert channel\t192.168.56.101", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/graph", "location.search", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://fairspin.io/?track_id=44698569&pid=1&geo=6252001&utm_source=bonafides&utm_medium=&utm_campaign=smarttds&utm_term=incorrect_param", "worker-m-tlcus1.sol.us", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "applestore.id", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "a.default.meta.applestore.id", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "Tofsee: 'google.com' | https://www.gov50.icu |", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "dev-2.ernestatech.com", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "www.search.app.goo.gl", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "Yara Detections: is__elf , DemonBot", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "critical-failure-alert2286.40ek97931491.com-4nj1ze3ivfwy.website", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "https://hybrid-analysis.com/sample/b1ff0635f1ca2a949dff4616ec2fc455872bc1e6a181e19b3b34461a21fc5304/62a5ec9f239e4f04ec28cf81", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "https://tulach.cc/ | tulach.cc |", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "http://decafsmob.this.id", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "http://e.id?e.id:e.id.getAttribute", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "http://critical-system-failure7250.21ny35098453.com-bm3y-v806d9gk.cricket/", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61", "hubt.pornhub.com | www.pornhub.com | pornative.com", "http://www.youtube.com/gen_204?cplatform=tablet&c=android&cver=5.6.36&cos=Android&cosver=4.4.2&cbr=com.google.android.youtube&cbrv", "cdn.fuckporntube.com", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://search.app.goo.gl/?ofl=https://lens.google&al=googleapp://lens?lens_data=KAw&apn=com.google.android.googlequicksearchbox&amv=301204913&isi=284815942&ius=googleapp&ibi=com.goog", "id.google.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "track.adminresourceupdate.com \u2022 postracking100.online", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "apps.apple.com/us/app/id$", "1080p-torrent.ml", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "https://coloradosprings.americanlisted.com/pets-animals/beautiful-ragdoll-kittens_31591993.html", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "www.pornhubselect.com | pornhub.software", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "https://hybrid-analysis.com/sample/d26000dfe1137f05f9187996dc752a703000402fe9e35a8ea216e9215a34560d", "http://tracking.3061331.corn10wuk.club", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "globalworker1.sol.us", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "http://information.7174932.cakcuk.az/tracking/tracking.php?id=8459701&page=904", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "xxx.developer.android.com", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/summary", "states.app", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "Yara Detections: Delphi", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "209.85.145.113 [malware]", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/iocs", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "hasownproperty.call", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "object.prototype.hasownproperty.call", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "https://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?theme=dark", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "https://dnsorangetel.dn2.n-helix.com", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "IDS Detections: Andariel Backdoor Activity (Checkin)", "http://git.io/yBU2rg", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "t.name", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript", "DISTINCTIO8.pdf", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "apps.apple.com", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Pua.wombat", "Gen:variant.application.bundler.downloadguide", "Trojan:win32/neurevt", "Adware", "W32.installcore.agx", "Application.deceptor", "Mimikatz", "Agen.1144657", "Cve-2017-17215", "Cve-2014-8361", "Bscope.trojan", "Gen:variant.msilheracles", "#lowfi:trojan:js/auto59", "Vm201.0.b70b.malware", "Adware:win32/adload.0e19dea6", "Goldfinder", "Agent.ocj", "Adware.kuzitui", "Downloader.opencandy", "Js:trojan.hidelink 2", "Crypt2.azdi", "Heur:trojan.diztakun", "Redirector.an", "Heur:exploit.script", "Trojan.khalesi 2\tadware 2", "Msil_bladabindi.g.gen", "W32.malware", "Unsafe.ai_score_94%", "Html:redirme", "Gen:nn.zemsilf.34170", "Mxresicn.heur", "Remote utilities", "Trojan.msil", "Packed.dico", "Pup/win32.bundler.r1865", "Mirai", "Heur.bzc.yax.boxter.819", "Generic.js.blackhole", "Mimikatz - s0002", "Packed.themida", "Riskware.netfilter", "Onelouder", "Magazine phishing", "Backdoor.dtr.15", "Bscope.backdoor", "Hacktool.bruteforce", "Trojan.js.iframe", "Zbot", "Downldr.gen", "Behaveslike.icloader", "Azorult", "Inno:downloader-j [pup]", "Vb:trojan.valyria", "Behaveslike.downloader", "Trojanbanker.banbra", "Worm.boychi", "Unsafe.ai_score_95% 2", "Exploit.zip.heuristic", "Gen:variant.tedy hacktool.vulndriver", "Malicious.f01f67", "Trojan.win32.pdf.alien", "Dropper.trojan.agent", "Generic.asmalws", "Gen:variant.application.bundler", "Clicker.vb", "Trojan:win32/glupteba.mt!mtb", "Backdoor.nhopro", "W32.hfsautob", "Psw.generic11", "Infected.webpage", "Cve-2014-3153", "Webtoolbar", "Trojan.downloader33", "Downware", "Phishing jpmorgan chase and co.", "Tofsee", "Trojware.js.adware.agent", "Ransom:win32/haperlock", "Quasar rat", "Sabsik.fl.b", "Deepscan:generic.brresmon.1", "Gen:variant.bulz", "Tool.patcher", "Agen.1045143", "Trojan.small", "Absolute uninstaller", "Cve-2023-27350", "Trojan.cookiesstealer", "Virtool:win32/injector", "Generic.application.js.sobrab.1", "Trojandropper:win32/muldrop", "Sabey", "Pe.heur", "Kryptik.dawvk", "Gen:nn.zexaf.34090", "Trojan:win32/zombie.a", "Backdoor.androm", "Win32:vbmod\\ [trj]", "Hacktool.cheatengine", "Trojan.rozena", "Vdehu.a", "Win.malware.oxypumper-6900435-0", "Virus.sality", "Gen:nn.zemsilf.32515", "Trojan.bat.qhost", "Cobalt strike", "Hw32.packed", "Redline stealer", "Maltiverse", "Js:trojan.clicker", "Nids", "Backdoor:win32/tofsee", "Trojan.ransom.generickd", "Suspici.1f4405d1", "Installcore.gen7", "Html:redirba", "Inject.brdv", "Bscope.adware.msil", "Googletoolbar", "Trojan.linux.generic", "Freemake.a potentially unwanted", "Faceliker.d", "Adware.browsefoxcrtd", "Backdoor.predator", "Application.bitcoinminer", "Application.auslogics", "Scrinject.eric", "Trojan.hotkeychick", "Gen:variant.jacard", "Adwaresig [adw]", "Kryptik.gkqr", "Sigriskware.lespeedtechnologyltd", "Webtoolbar.asparnet", "Gen:heur.msil.androm", "Qvm05.1.08e5.malware", "Html:script", "Gen:variant.ursu", "Win.packed.razy-9828382-0", "Agent.mu", "Cve exploits", "Hacktool.crack", "Hoax.deceptpcclean", "Asparnet.p", "Agent.cux.gen", "Sibot", "Xtreme rat", "Adware.adload/adinstaller", "Trojan.wisdomeyes.16070401.9500", "Dropper.gen", "Worm.allaple", "Trojan.gandcrypt", "Gamehack", "Downloader.generic", "Worm.autorun", "Win.malware.agent-6386296-0", "Win.trojan.installcore-1177", "Csqkhtaai", "Ddos:linux/gafgyt.ya!mtb", "Trojan.downloader", "Tel:createscheduledtask", "Applicunwnt@#2n6\tirs", "Dropper.wanna", "Nettool.remoteexec", "!execryptor_2.x.x", "Win.malware.qshell-9875653-0", "Riskware.crack", "Trojan.clipbanker", "Wacatac.b", "Program.freemake", "Troj_gen.f04ie00ci19", "Tel:trojan:html/phishing", "Trojan.bayrob", "Worm.chir", "Warezov.gen3", "Adware.oxypumper", "Trojandropper.autit", "Pup.systweak", "Injector.cuam", "Scrinject.b", "Win.trojan.sarwent-10012602-0", "Goldmax - s0588", "Win32:androp", "Gen:variant.symmi", "Adware.dealply", "Darkkomet.ife", "Installcore.np", "Trojanspy", "M1", "Trojanspy:win32/nivdort", "Win.trojan.5229994-1", "Heur:hoax.pcfixer", "Wisecleaner.a potentially unwanted", "Trojan:win32/zombie", "Nemucod.21c8", "Bondat.a", "Ransom", "Virus:win32/sivis.a", "Emotet", "Driverreviver.a potentially unwanted", "Blacknet rat", "Bscope.trojandownloader", "Tsgeneric", "Unix.trojan.mirai-6981169-0", "Trojan.brsecmon", "Hsbc", "Doplik.j", "Ml.attribute", "Trojan.otnr", "Trojan.ransom.gandcrab", "Taiwan", "Riskware.hacktool.agent", "Trojan:win32/xtrat", "Gen:heur.msil.inject" ], "industries": [ "Healthcare", "Contains-embedded-js", "Telecommunications", "Education", "Government", "Civil society", "Technology", "Civilian society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 22, "pulses": [ { "id": "69e1cc70fcbd3f613502e1f7", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T09:28:38.049000", "created": "2026-04-17T06:00:16.867000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 442, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24911, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1cc6fd3c4022e08db781d", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T06:51:33.372000", "created": "2026-04-17T06:00:15.760000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 441, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24910, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692131f725473d708579ec3a", "name": "Drive-by Compromise", "description": "", "modified": "2025-11-22T03:45:59.649000", "created": "2025-11-22T03:45:59.649000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68de7a48636c1d113e6069ff", "name": "911 Call during Remote phone reconfiguration | 3rd Party YouTube | Ransomware", "description": "Tested address. Link based on a 911 call on a known targeted device. Address incorrect but malicious activity found. Hacked device was under an unauthorized reconfiguration over several days. Russian conversion set up, Yandex and a 3rd party YouTube on a device that has never had a YouTube account or any other 3rd party apps.", "modified": "2025-11-01T12:01:18.197000", "created": "2025-10-02T13:12:40.466000", "tags": [ "passive dns", "emails", "servers", "code", "united", "aaaa", "found", "email", "port", "destination", "msie", "windows nt", "wow64", "slcc2", "dock", "write", "execution", "memcommit", "write c", "create c", "delete c", "delete", "april", "trojan", "mtb apr", "ransom", "united states", "hostname", "read c", "users", "win32", "malware", "title", "installer", "america", "password", "injection", "crypt", "zombie", "network", "remote" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "PSW.Generic11", "display_name": "PSW.Generic11", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "win32:Androp", "display_name": "win32:Androp", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "email": 1, "URL": 172, "hostname": 70, "FileHash-MD5": 155, "FileHash-SHA1": 133, "FileHash-SHA256": 258 }, "indicator_count": 841, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678f0dbdbc59dd2ea5656dcf", "name": "Order ", "description": "", "modified": "2025-01-21T03:00:13.071000", "created": "2025-01-21T03:00:13.071000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aclause21", "id": "303913", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f351ce26a103377d8eb5fa", "name": "Sex Tokens | Injection \u00bb Porn dumping - Cyber Folks .PL | Spectrum", "description": "Porn dumping into targeted devices after great effort. \nHall Render has always been a Malware Hosting website.\nDrive by compromise, \nPorn Storm compilation.\n\nhttps://api.dotz.com.br/accounts/api/default/externallogin/login", "modified": "2024-10-24T22:01:13.406000", "created": "2024-09-24T23:57:02.111000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "url http", "porn type", "showing", "entries", "tsara type", "pulses url", "adware backdoor", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "wild fantasy", "world", "download", "xxx video", "xxx sex", "desi", "tamil", "videos xxx", "hd posts", "photos pics", "https", "indicator role", "title added", "active related", "unknown", "united", "for privacy", "nxdomain", "meta", "internet gmbh", "creation date", "date", "audio", "clear hindi", "bhabi sex", "bedroom indian", "fakaid", "ww3008", "fingering her", "young boy", "sexy", "next", "witch", "filehashmd5", "ipv4", "months ago", "information", "scan endpoints", "all scoreblue", "report spam", "created", "modified", "zbot", "keyword", "latina", "teen sex", "jeffrey reimer", "reimer dpt", "jeff reimer sex", "reimer type", "hostname", "domain", "copyright", "remote", "t1003", "os credential", "dumping", "t1012", "t1036", "t1071", "protocol", "t1082", "as8075", "aaaa", "as30148 sucuri", "certificate", "record value", "body", "status", "passive dns", "urls", "hallrender", "brian sabey", "sabey xxx", "drive by compromise", "cobalt strike", "overview ip", "address", "related nids", "files location", "china flag", "china domain", "files related", "pulses none", "files domain", "analyzer paste", "iocs", "hostnames", "urls https", "china unknown", "as4837 china", "redacted for", "a domains", "cname", "jeffrey reimer pt", "sucuri website", "span td", "time", "firewall", "win64", "back", "xtra", "name servers", "files", "tls web", "log id", "gmtn", "false", "ocsp", "ca issuers", "phucket news", "hacking", "registrar abuse", "gateway protocol abuse", "swipper relationship" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1599, "hostname": 2988, "URL": 8561, "FileHash-SHA256": 1207, "email": 41, "FileHash-MD5": 126, "FileHash-SHA1": 36, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 14561, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f31b9a0551ca166c872292", "name": "Drive-by Compromise - Cyber warfare 4K + Unsuspecting potential victims", "description": "Network outage. Severe attack appears to disseminate from Denver, Co Charter Communications /Spectrum Denver - network and devices hacked. Successful at bringing down the network of 4000 + Whitesky clients, remotely sourcing targeted devices, leaking confidential information, phishing, deletng countless files. Most people in homes and building managers are referring to the multi day outage as outage or glitch. Located targeted devices, files encrypted, forced content, dumping & other malicious activity. \n*Cyber Folks .pl\n*https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n|| DDoS:Linux/Gafgyt.YA!MTB\nCVE-2017-17215\nVirus:Win32/Sivis.A\nBackdoor:Win32/Tofsee\nCVE-2014-8361\nCVE-2023-27350\nM1\nMirai\nNIDS\nOneLouder\nRansom\nRansom:Win32/Haperlock\nTEL:CreateScheduledTask ,\nTofsee , Trojan:Win32/Neurevt , Zombie.A ,TrojanSpy ,\nUnix.Trojan.Mirai ,Oxypumper , Qshell , Installcore ,Sarwent", "modified": "2024-10-24T19:00:50.385000", "created": "2024-09-24T20:05:46.785000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fiverrtool.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fiverrtool.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776615814.1345525 }