{ "type": "Domain", "indicator": "hackingtech4u.shop", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hackingtech4u.shop", "alexa": "http://www.alexa.com/siteinfo/hackingtech4u.shop", "indicator": "hackingtech4u.shop", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3850581642, "indicator": "hackingtech4u.shop", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a19ab3077e26f1ba3c8cd51", "name": "Credit Q.Vashti \"Unknown - Established hacker group. Affects banking\" clone", "description": "", "modified": "2026-05-31T05:26:42.780000", "created": "2026-05-29T15:05:20.198000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "688f1ce317fc8b3f9d5d5f33", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1429, "hostname": 478, "domain": 521, "email": 3, "SSLCertFingerprint": 1, "JA3": 1 }, "indicator_count": 4487, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b81d14b78bfc09f117f169", "name": "Signed Exchanges on Google Search | Google Search Central Documentation: Google for Developers", "description": "Signed Exchanges on Google Search | Google Search Central Documentation: Google for Developers | Googlebot | Matches a pattern and is related to a network of \nfoundations and business websites affected by . spyware, or bot networks, many involve social engineering, hacking , online phishing. Researching commonly reveals monitored target/s. (most, not all businesses operating even if temporary)", "modified": "2025-10-03T04:01:28.777000", "created": "2025-09-03T10:48:52.736000", "tags": [ "google search", "google sxg", "javascript", "google", "sxgs", "googlebot", "html", "paint", "implement sxg", "chrome", "ipv4", "path max", "age86400 set", "cookie", "script urls", "passive dns", "script domains", "united", "mtb sep", "trojandropper", "win32qqpass sep", "trojan", "url hostname", "server response", "ip address", "results jul", "learn", "command", "suspicious", "informative", "ck id", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "sha1", "sha256", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "pattern match", "mitre att", "ck matrix", "ascii text", "network traffic", "t1071", "t1057", "general", "local", "path", "pehash external", "api key", "comments", "vendor finding", "notes clamav", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "delphi", "win32", "powershell", "adult content", "call", "monitoring", "monitored target" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen", "display_name": "TrojanDropper:Win32/Cutwail.gen", "target": "/malware/TrojanDropper:Win32/Cutwail.gen" }, { "id": "trojan:Win32/Formbook!MTB", "display_name": "trojan:Win32/Formbook!MTB", "target": "/malware/trojan:Win32/Formbook!MTB" }, { "id": "TrojanSpy:Win32/Bancos.DI", "display_name": "TrojanSpy:Win32/Bancos.DI", "target": "/malware/TrojanSpy:Win32/Bancos.DI" }, { "id": "Win32/QQpass", "display_name": "Win32/QQpass", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0033", "name": "Lateral Movement", "display_name": "TA0033 - Lateral Movement" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 250, "domain": 83, "hostname": 115, "FileHash-MD5": 149, "FileHash-SHA256": 334, "FileHash-SHA1": 149, "email": 1 }, "indicator_count": 1081, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688fa1290b459ca0e307fcbd", "name": "http://www.jeffreyrusertjeffersoncounty.net/", "description": "Does this mean a someone who SA\u2019d and critically injured someone was given legal access to also spy on his victim? \nFurther investigation needed. Now ther is a little phone symbol blinking on my device. Weirdness.", "modified": "2025-09-02T10:03:26.815000", "created": "2025-08-03T17:49:29.657000", "tags": [ "status", "creation date", "date", "domain add", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as396982", "whois registrar", "pulses", "related tags", "indicator facts", "historical otx", "pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "mitre att", "ck techniques", "spawns", "falcon sandbox", "hybrid", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "null", "refresh", "body", "span", "august", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "config", "runner", "us seen", "general info", "geo kansas", "city", "missouri", "united", "as396982", "us note", "route", "ptr record", "live", "november", "value emails", "dnssec", "domain name", "llc status", "whois server", "showing", "entries", "olet", "encrypt", "cnr3", "cnr10", "cnr11", "ilike search", "id logged", "common name", "issuer name", "encrypt https", "expired", "key usage", "tls web", "identifier", "search criteria", "timestamp entry", "log operator", "log url", "google https", "poison", "info", "certificate", "linter", "precertificate", "tls server", "subject dn", "ascii", "sha256 hash", "graph", "sectigo https", "ca mechanism", "provider status", "revocation date", "log id", "criteria id", "16566017041", "summary leaf", "15317728412", "15385730680", "sequence", "octet string", "pkcs", "integer", "null bit", "string", "boolean", "pkix key", "pkix", "observed" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "URL": 226, "hostname": 64, "email": 1, "FileHash-SHA256": 143, "FileHash-MD5": 28, "FileHash-SHA1": 35, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688f1ce317fc8b3f9d5d5f33", "name": "Unknown - Established hacker group. Affects banking, financial and much more.", "description": "Crowdsourced. Identifies as a Dark Web gang stalking entity. Research suggests that this is a very organized, possibly quasi governmental entity with shadowy state figures that social engineer targets. Even though they have been considered scammers and they are grifters, they are very established, dangerous and a very large force with claims of military alignments which has not yet been fully confirmed.\n\nThis group is anything you want them to be, attorney, accountant, technician, nurse, uber driver.", "modified": "2025-09-02T08:02:34.108000", "created": "2025-08-03T08:25:07.135000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1426, "hostname": 476, "domain": 521, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 4481, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "https://www.mccormick-designs.com", "http://mcbut.live (Not present? Absent today - unexcused)", "applephonenw.com [governmentattic]", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "thecomments.app", "nr-data.net [Apple Private Data Collection]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "http://www.sheraises.com/wcur/ [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "www.jamesbgriffinlaw.com (toolbox)", "72.167.124.187 [phishing]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win.trojan.zbot-64721", "Win.trojan", "Formbook", "Win.trojan.airinstall-1", "Artro", "Virtool:win32/injector.gen!bq", "Win.malware.snojan-6775202-0", "Alf:heraklezeval:pua:win32/imali", "Win32:malware-gen", "Trojan:win32/neconyd.a", "Win.trojan.nsis-41", "Alf:jasyp:trojandownloader:win32/startpage!atmn", "Trojanspy:win32/nivdort", "Win.dropper.remcos-9970861-0", "Trojanspy:win32/bancos.di", "Trojan:win32/formbook!mtb", "Trojandownloader:win32/upatre", "Ransom:win32/teerac.a", "Trojandownloader:win32/upatre.o", "Trojandropper:win32/cutwail.gen", "#lowfi:hstr:win32/airinstaller.b", "Win32/qqpass" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a19ab3077e26f1ba3c8cd51", "name": "Credit Q.Vashti \"Unknown - Established hacker group. Affects banking\" clone", "description": "", "modified": "2026-05-31T05:26:42.780000", "created": "2026-05-29T15:05:20.198000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "688f1ce317fc8b3f9d5d5f33", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1429, "hostname": 478, "domain": 521, "email": 3, "SSLCertFingerprint": 1, "JA3": 1 }, "indicator_count": 4487, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b81d14b78bfc09f117f169", "name": "Signed Exchanges on Google Search | Google Search Central Documentation: Google for Developers", "description": "Signed Exchanges on Google Search | Google Search Central Documentation: Google for Developers | Googlebot | Matches a pattern and is related to a network of \nfoundations and business websites affected by . spyware, or bot networks, many involve social engineering, hacking , online phishing. Researching commonly reveals monitored target/s. (most, not all businesses operating even if temporary)", "modified": "2025-10-03T04:01:28.777000", "created": "2025-09-03T10:48:52.736000", "tags": [ "google search", "google sxg", "javascript", "google", "sxgs", "googlebot", "html", "paint", "implement sxg", "chrome", "ipv4", "path max", "age86400 set", "cookie", "script urls", "passive dns", "script domains", "united", "mtb sep", "trojandropper", "win32qqpass sep", "trojan", "url hostname", "server response", "ip address", "results jul", "learn", "command", "suspicious", "informative", "ck id", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "sha1", "sha256", "click", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "pattern match", "mitre att", "ck matrix", "ascii text", "network traffic", "t1071", "t1057", "general", "local", "path", "pehash external", "api key", "comments", "vendor finding", "notes clamav", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "delphi", "win32", "powershell", "adult content", "call", "monitoring", "monitored target" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen", "display_name": "TrojanDropper:Win32/Cutwail.gen", "target": "/malware/TrojanDropper:Win32/Cutwail.gen" }, { "id": "trojan:Win32/Formbook!MTB", "display_name": "trojan:Win32/Formbook!MTB", "target": "/malware/trojan:Win32/Formbook!MTB" }, { "id": "TrojanSpy:Win32/Bancos.DI", "display_name": "TrojanSpy:Win32/Bancos.DI", "target": "/malware/TrojanSpy:Win32/Bancos.DI" }, { "id": "Win32/QQpass", "display_name": "Win32/QQpass", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0033", "name": "Lateral Movement", "display_name": "TA0033 - Lateral Movement" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 250, "domain": 83, "hostname": 115, "FileHash-MD5": 149, "FileHash-SHA256": 334, "FileHash-SHA1": 149, "email": 1 }, "indicator_count": 1081, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688fa1290b459ca0e307fcbd", "name": "http://www.jeffreyrusertjeffersoncounty.net/", "description": "Does this mean a someone who SA\u2019d and critically injured someone was given legal access to also spy on his victim? \nFurther investigation needed. Now ther is a little phone symbol blinking on my device. Weirdness.", "modified": "2025-09-02T10:03:26.815000", "created": "2025-08-03T17:49:29.657000", "tags": [ "status", "creation date", "date", "domain add", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as396982", "whois registrar", "pulses", "related tags", "indicator facts", "historical otx", "pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "mitre att", "ck techniques", "spawns", "falcon sandbox", "hybrid", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "null", "refresh", "body", "span", "august", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "config", "runner", "us seen", "general info", "geo kansas", "city", "missouri", "united", "as396982", "us note", "route", "ptr record", "live", "november", "value emails", "dnssec", "domain name", "llc status", "whois server", "showing", "entries", "olet", "encrypt", "cnr3", "cnr10", "cnr11", "ilike search", "id logged", "common name", "issuer name", "encrypt https", "expired", "key usage", "tls web", "identifier", "search criteria", "timestamp entry", "log operator", "log url", "google https", "poison", "info", "certificate", "linter", "precertificate", "tls server", "subject dn", "ascii", "sha256 hash", "graph", "sectigo https", "ca mechanism", "provider status", "revocation date", "log id", "criteria id", "16566017041", "summary leaf", "15317728412", "15385730680", "sequence", "octet string", "pkcs", "integer", "null bit", "string", "boolean", "pkix key", "pkix", "observed" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "URL": 226, "hostname": 64, "email": 1, "FileHash-SHA256": 143, "FileHash-MD5": 28, "FileHash-SHA1": 35, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688f1ce317fc8b3f9d5d5f33", "name": "Unknown - Established hacker group. Affects banking, financial and much more.", "description": "Crowdsourced. Identifies as a Dark Web gang stalking entity. Research suggests that this is a very organized, possibly quasi governmental entity with shadowy state figures that social engineer targets. Even though they have been considered scammers and they are grifters, they are very established, dangerous and a very large force with claims of military alignments which has not yet been fully confirmed.\n\nThis group is anything you want them to be, attorney, accountant, technician, nurse, uber driver.", "modified": "2025-09-02T08:02:34.108000", "created": "2025-08-03T08:25:07.135000", "tags": [ "united", "search", "entries", "unknown ns", "ip address", "creation date", "record value", "date", "showing", "moved", "body", "encrypt", "lowfi", "trojanspy", "checkin", "passive dns", "trojan", "next associated", "cryp", "win32", "phishing", "virtool", "hstr", "backdoor", "ipv4", "pulse pulses", "associated urls", "show", "date checked", "url hostname", "server response", "google safe", "results feb", "header http2", "accept encoding", "gmt related", "domains show", "domain related", "response ip", "address google", "safe browsing", "entries http", "scans show", "title", "link", "present mar", "meta", "starfield", "dynamicloader", "qaeaav12", "medium", "high", "malware", "windows wget", "qbeipbdii", "write", "suspicious", "copy", "yara rule", "gravityrat", "detectvm", "x00 x00", "x00x00", "doviacmd", "rootjob", "getfiles", "updateserver", "ethernetid", "unknown", "yara detections", "filehash", "sha256 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "oinetsim", "oudevelopment", "write c", "demo", "mtb sep", "trojandropper", "cookie", "path max", "age86400 set", "win32qqpass sep", "results aug", "script urls", "script domains", "a domains", "cache control", "cache status", "fury", "zenedge", "present jun", "present dec", "present jan", "present nov", "for privacy", "present may", "name servers", "no expiration", "filehashmd5", "filehashsha256", "filehashsha1", "iocs", "extract", "enter source", "url or", "text drag", "drop or", "domain", "expiration", "url http", "hostname", "email abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 459, "FileHash-MD5": 553, "FileHash-SHA256": 1042, "URL": 1426, "hostname": 476, "domain": 521, "email": 3, "SSLCertFingerprint": 1 }, "indicator_count": 4481, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hackingtech4u.shop", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hackingtech4u.shop", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237782.8764007 }