{
"type": "URL",
"indicator": "http://admin.docs.tw",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "http://admin.docs.tw",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3537869366,
"indicator": "http://admin.docs.tw",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "6a126fcffc60a71dfab01f24",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:32:22.109000",
"created": "2026-05-24T03:26:07.144000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4130,
"URL": 11958,
"hostname": 4644,
"domain": 4304,
"FileHash-MD5": 2256,
"FileHash-SHA1": 1161,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1,
"IPv6": 4,
"IPv4": 6
},
"indicator_count": 28500,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "7 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a126fcc3620af2edeb95e57",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:26:04.439000",
"created": "2026-05-24T03:26:04.439000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e940361a6e8be7e02ffe5d",
"name": "URL_File_Delivery clone by octoseek",
"description": "",
"modified": "2026-05-22T23:04:42.859000",
"created": "2026-04-22T21:40:06.671000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64d9d1b920c9b43c1885b2e4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1644,
"domain": 386,
"hostname": 535,
"FileHash-SHA256": 609,
"email": 5,
"URI": 9,
"FilePath": 1,
"FileHash-SHA1": 8,
"FileHash-MD5": 24
},
"indicator_count": 3221,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "123 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692d02f096f3ec8b5b507496",
"name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace",
"description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.",
"modified": "2025-12-31T02:01:50.101000",
"created": "2025-12-01T02:52:32.483000",
"tags": [
"business",
"enterprise",
"drive",
"english",
"google drive",
"try drive",
"business small",
"workspace",
"sign",
"strong",
"find",
"life",
"tools",
"protect",
"cloud",
"simple",
"android",
"indonesia",
"video",
"mb download",
"shared may",
"shared",
"learn",
"drive drive",
"name date",
"javascript",
"dynamicloader",
"medium",
"minimal headers",
"high",
"observed get",
"get http",
"united",
"yara rule",
"http",
"write",
"guard",
"malware",
"read c",
"ms windows",
"intel",
"png image",
"rgba",
"pe32",
"get na",
"explorer",
"music",
"virlock",
"media",
"ho chi",
"minh city",
"viet nam",
"storage company",
"limited",
"google",
"address as",
"luutruso",
"cloudflar",
"domain",
"asn15169",
"asn56153",
"asn13335",
"cisco",
"umbrella rank",
"apex domain",
"url https",
"kb stylesheet",
"kb font",
"kb image",
"image",
"kb script",
"november",
"resource path",
"size",
"type mimetype",
"primary request",
"redirect chain",
"kb document",
"urls",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"t1590 gather",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"domain address",
"rsdsq jfu",
"ollydbg ollydbg",
"wireshark",
"external",
"binary file",
"mitre att",
"ck matrix",
"aaaa",
"cong ty",
"co phan",
"code",
"province hcm",
"files",
"ip address",
"request",
"flag",
"country",
"contacted hosts",
"process details",
"link initial",
"t1480 execution",
"domains",
"moved",
"gmt content",
"all ipv4",
"url analysis",
"location viet",
"title",
"error",
"problem",
"url add",
"related nids",
"files location",
"flag united",
"development att",
"name server",
"markmonitor",
"localappdata",
"programfiles",
"edge",
"hyundai",
"social engineering",
".mil",
"hackers",
"phishing eml",
"summary",
"cisco umbrella",
"google safe",
"browsing",
"current dns",
"a record",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links apex",
"transfer",
"b script",
"b stylesheet",
"frame b830",
"b document",
"value",
"december",
"degurafregistry",
"gat object",
"jsl object",
"gapijstiming",
"iframe function",
"domainpath name",
"nid value",
"source level",
"files domain",
"files related",
"tags",
"related tags",
"virustotal",
"foundry",
"pulse otx",
"dark",
"vietnam",
"present aug",
"present nov",
"present jul",
"present sep",
"unknown aaaa",
"search",
"name servers",
"present oct",
"trojan",
"data upload",
"extraction",
"se https",
"include review",
"exclude sugges",
"find s",
"failed",
"typ don",
"faith",
"study",
"romeo\u2019s",
"juliettes",
"femme fatales",
"strategy",
"honey pot",
"honey traps",
"spy",
"helix",
"anons",
"passive dns",
"pulse pulses",
"files ip",
"address",
"location united",
"asn as400519",
"whois registrar",
"ms defender",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"cameras",
"cams",
"spycam",
"botnet",
"vietnam",
"company limited",
"dnssec",
"status",
"india unknown",
"present may",
"espionage",
"hostname add",
"generic",
"cnc activity",
"backdoor",
"ipv4",
"anonsecbotnet",
"iptv"
],
"references": [
"drive.google.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://account.helix.com/activate/start",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Virus.Virlock-6804475-0",
"display_name": "Win.Virus.Virlock-6804475-0",
"target": null
},
{
"id": "Win.Malware.Bzub-6727003-0",
"display_name": "Win.Malware.Bzub-6727003-0",
"target": null
},
{
"id": "Win.Trojan.Generic-9801687-0",
"display_name": "Win.Trojan.Generic-9801687-0",
"target": null
},
{
"id": "NID",
"display_name": "NID",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ GC!",
"display_name": "Backdoor:MSIL/Bladabindi.AJ GC!",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!"
},
{
"id": "Win.Packed.Generic-9795615-0\t.",
"display_name": "Win.Packed.Generic-9795615-0\t.",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ",
"display_name": "Backdoor:MSIL/Bladabindi.AJ",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ"
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.KA",
"display_name": "ALF:Backdoor:MSIL/Noancooe.KA",
"target": null
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "Trojan:MSIL/ClipBanker",
"display_name": "Trojan:MSIL/ClipBanker",
"target": "/malware/Trojan:MSIL/ClipBanker"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1039",
"name": "Data from Network Shared Drive",
"display_name": "T1039 - Data from Network Shared Drive"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"display_name": "T1567.002 - Exfiltration to Cloud Storage"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1911,
"hostname": 714,
"FileHash-SHA256": 1304,
"FileHash-MD5": 159,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 2,
"domain": 421,
"CVE": 1,
"email": 4
},
"indicator_count": 4587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "190 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f93b1cebf80f48450bd517",
"name": "Yuner - File deletion and Disk Wiping / Cyberstalking ",
"description": "",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T20:14:20.632000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": "68f9288e0d98f3b44c2cb90c",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "190 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d3caa9524bb6b5460615f3",
"name": "Legacy.Trojan affects threat researchers networks & portals and/or platforms",
"description": "Legacy.Trojan affects threat researchers networks & portals and/or platforms or via platforms as a medium.\n[otx auto populated: Adversaries may be able to gain access to a victim's network through a range of techniques, as well as using a variety of other techniques to evade detection and detection.]\n#honeypot #capture #advesaries #fireeye #github",
"modified": "2025-10-24T10:01:25.310000",
"created": "2025-09-24T10:40:40.987000",
"tags": [
"text drag",
"browse to",
"select file",
"or drop",
"yara detections",
"runlevel",
"av detections",
"ids detections",
"alerts",
"analysis date",
"inject",
"stncphpphp more",
"virustotal api",
"comments",
"related tags",
"passive dns",
"republic",
"ipv4 add",
"location korea",
"korea",
"asn as9318",
"dns resolutions",
"pulses otx",
"close",
"dynamicloader",
"backdoor",
"tgt session",
"reads",
"dynamic",
"write",
"chopper",
"pho exploit",
"backdoor",
"fireeye",
"low risk",
"drop",
"create snapshot",
"hangover_appinbot",
"kns dropper",
"self",
"md5 sha256",
"google safe",
"browsing",
"server response",
"response code",
"vary",
"mimikatz",
"silence malware",
"trojanagent",
"legacy",
"password",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"initial access",
"defense evasion",
"spawns",
"copy md5",
"copy sha1",
"copy sha256",
"selection",
"ascii text",
"crlf line",
"windir",
"openurl c",
"appearance code",
"password",
"urlhttps",
"username",
"flag",
"united",
"markmonitor",
"github",
"server",
"date",
"click",
"apt 1",
"high",
"read c",
"search",
"medium",
"show",
"windows",
"cmd c",
"ms windows",
"next",
"copy",
"ver",
"businesseconomy"
],
"references": [
"Files",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Ireland"
],
"malware_families": [
{
"id": "Php.Exploit.C99-27",
"display_name": "Php.Exploit.C99-27",
"target": null
},
{
"id": "Backdoor:ASP/Chopper.F!dha",
"display_name": "Backdoor:ASP/Chopper.F!dha",
"target": "/malware/Backdoor:ASP/Chopper.F!dha"
},
{
"id": "Legacy.Trojan.Agent-37025",
"display_name": "Legacy.Trojan.Agent-37025",
"target": null
},
{
"id": "Ver",
"display_name": "Ver",
"target": null
}
],
"attack_ids": [
{
"id": "T1110.001",
"name": "Password Guessing",
"display_name": "T1110.001 - Password Guessing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 87,
"FileHash-SHA1": 84,
"FileHash-SHA256": 1049,
"URL": 1688,
"hostname": 544,
"email": 5,
"domain": 292,
"CVE": 2
},
"indicator_count": 3751,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "219 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "318 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "685186983a4dd00c2b45b255",
"name": "Source:\thttps://cloud.samsara.com/o/79639/flee",
"description": "",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:15:36.505000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "685186035e5fb63846d29e45",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "318 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68743733a69ce827f6156f5c",
"name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy",
"description": "",
"modified": "2025-07-13T22:46:11.685000",
"created": "2025-07-13T22:46:11.685000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 147,
"modified_text": "321 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6802db5065a2d5648af92de3",
"name": "Pegasus Spyware",
"description": "If you see one of these IP addresses on your Android device, know this: the government is spying on you. It is recommended to perform a clean install of the latest version of Android, without Google services and with a proper firewall. Don't forget to disable RCS to decrease the attack surface.",
"modified": "2025-05-20T10:00:22.858000",
"created": "2025-04-18T23:08:00.201000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "esjsonexe",
"id": "320409",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 255,
"hostname": 318,
"URL": 762,
"FileHash-SHA256": 288
},
"indicator_count": 1623,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 18,
"modified_text": "376 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "674248a40f08120e523708eb",
"name": "cqbpy.nakula.fun (enriched)",
"description": "",
"modified": "2024-12-23T21:01:08.932000",
"created": "2024-11-23T21:27:00.332000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 60,
"hostname": 383,
"domain": 63,
"URL": 487
},
"indicator_count": 997,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 182,
"modified_text": "523 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67264874826a7c8efb017e83",
"name": "unfamiiiiardates (enriched)",
"description": "",
"modified": "2024-12-02T15:01:26.132000",
"created": "2024-11-02T15:42:44.989000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 94,
"hostname": 67,
"domain": 70,
"URL": 212
},
"indicator_count": 447,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 182,
"modified_text": "544 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6523344e4adc85389899504c",
"name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]",
"description": "",
"modified": "2024-10-13T03:00:28.081000",
"created": "2023-10-08T22:59:26.040000",
"tags": [
"united",
"contacted urls",
"whois record",
"contacted",
"malicious site",
"malware",
"phishing site",
"anonymizer",
"heur",
"control server",
"facebook",
"cobalt strike",
"execution",
"installcore",
"phishing",
"service",
"core",
"metro",
"icmp",
"hacktool",
"download",
"relic",
"monitoring",
"installer",
"steam",
"bank",
"dnspionage",
"crack",
"unsafe",
"ramnit",
"emotet",
"malware site",
"proxy",
"exploit",
"fakealert",
"team",
"redline stealer",
"laplasclipper",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"alexa",
"downloader",
"opencandy",
"generic",
"presenoker",
"maltiverse",
"trojanspy",
"date",
"unknown",
"windir",
"markmonitor",
"name server",
"av detection",
"september",
"default browser",
"guest system",
"hybrid",
"general",
"click",
"strings",
"class",
"critical",
"blacklist",
"union",
"Embarcadero Delphi",
"whois whois",
"referrer",
"ssl certificate",
"communicating",
"resolutions",
"parent parent",
"dropped",
"stealer",
"banker",
"keylogger",
"attack",
"apple",
"detection list",
"ip address",
"netsky",
"firehol proxy",
"noname057",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"FireHol",
"Proxy",
"Pexee",
"Bank of America Corporation Malware Download",
"CVE-2017-11882",
"Alexa SANS Internet Storm Center",
"MCI Verizon Block",
"NaN"
],
"references": [
"http://ww1.tsx.org/_fd",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"remote.telegrafix.com (remote hacking)",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"remote.haverhillcc.com (remote hacking)",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"apple.com. (malicious version/header)",
"https://www.apple.com/sitemap/",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"init.ess.apple.com (remote hacking)",
"applepaydayloans.com",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"https://applepaydayloans.com/",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"https://support.Apple.com/de",
"http://www.Apple.com/quicktime/download",
"http://www.Apple.com/quicktime/download/standalone.html",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"https://www.roseoubleu.fr/panier (phishing)",
"Roksit.net",
"stagelight.pl (malicious/ pattern match)",
"www.jamesbgriffinlaw.com (malicious host)",
"Data Analytics",
"Behavior Pattern Match Analysis",
"45.159.189.105 (Command and Control)",
"http://45.159.189.105/bot/regex (Bot Command)",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TEL:Delphi/Obfuscator",
"display_name": "TEL:Delphi/Obfuscator",
"target": "/malware/TEL:Delphi/Obfuscator"
},
{
"id": "LaplasClipper",
"display_name": "LaplasClipper",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "SLFPER:InstallCore",
"display_name": "SLFPER:InstallCore",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "ALF:Program:OpenCandy:Remnant",
"display_name": "ALF:Program:OpenCandy:Remnant",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "generic.malware",
"display_name": "generic.malware",
"target": null
},
{
"id": "Anonymizer",
"display_name": "Anonymizer",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/Mimikatz",
"display_name": "#HSTR:HackTool:Win32/Mimikatz",
"target": null
},
{
"id": "PWS:MSIL/Steam",
"display_name": "PWS:MSIL/Steam",
"target": "/malware/PWS:MSIL/Steam"
},
{
"id": "Trojan.HTML.Agent",
"display_name": "Trojan.HTML.Agent",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Worm:Win32/Netsky",
"display_name": "Worm:Win32/Netsky",
"target": "/malware/Worm:Win32/Netsky"
},
{
"id": "Sodin Ransomware",
"display_name": "Sodin Ransomware",
"target": null
},
{
"id": "Keyloggers",
"display_name": "Keyloggers",
"target": null
},
{
"id": "Proxy",
"display_name": "Proxy",
"target": null
},
{
"id": "TEL:Trojan:Win32/Emotet",
"display_name": "TEL:Trojan:Win32/Emotet",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
},
{
"id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"target": null
},
{
"id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"target": null
},
{
"id": "AdwareSig [Adw] ml.Generic",
"display_name": "AdwareSig [Adw] ml.Generic",
"target": null
},
{
"id": "W32.Hack.Generic",
"display_name": "W32.Hack.Generic",
"target": null
},
{
"id": "Trojan.Ole2.Vbs",
"display_name": "Trojan.Ole2.Vbs",
"target": null
},
{
"id": "QVM20.1.8D80.Malware",
"display_name": "QVM20.1.8D80.Malware",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Backdoor.Mokes",
"display_name": "Backdoor.Mokes",
"target": null
},
{
"id": "AdWare.DropWare",
"display_name": "AdWare.DropWare",
"target": null
},
{
"id": "Gen:Variant.Razy",
"display_name": "Gen:Variant.Razy",
"target": null
},
{
"id": "Generic.31fcc75f",
"display_name": "Generic.31fcc75f",
"target": null
},
{
"id": "Trojan.Generic",
"display_name": "Trojan.Generic",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "malware.generic",
"display_name": "malware.generic",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "GameHack.DR",
"display_name": "GameHack.DR",
"target": null
},
{
"id": "Dropper.Binder",
"display_name": "Dropper.Binder",
"target": null
},
{
"id": "malicious.22a4c0",
"display_name": "malicious.22a4c0",
"target": null
},
{
"id": "SdBot.CAOC",
"display_name": "SdBot.CAOC",
"target": null
},
{
"id": "ml.Generic",
"display_name": "ml.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Phish.AB",
"display_name": "Phish.AB",
"target": null
},
{
"id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6506b48d699080b4bfd334c5",
"export_count": 74,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7761,
"CVE": 6,
"FileHash-MD5": 285,
"FileHash-SHA1": 165,
"FileHash-SHA256": 5059,
"domain": 987,
"hostname": 2399
},
"indicator_count": 16662,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "595 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656aafd0e93efa420f74123c",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2024-10-12T01:00:47.836000",
"created": "2023-12-02T04:17:20.189000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6562908e28e6cdc237fbf8db",
"export_count": 107,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3895,
"URL": 11195,
"domain": 2959,
"hostname": 3575,
"CVE": 16,
"SSLCertFingerprint": 1,
"email": 1
},
"indicator_count": 24465,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "596 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e0ffb31d4881f3238713",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)",
"modified": "2024-08-05T04:01:42.283000",
"created": "2024-07-06T06:15:27.994000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 89,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "664 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e142f0c8f5ddecbc788c",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)",
"modified": "2024-08-05T04:01:42.283000",
"created": "2024-07-06T06:16:34.388000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 94,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "664 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6688e15588a794b95443b46d",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated",
"modified": "2024-08-05T02:03:31.529000",
"created": "2024-07-06T06:16:53.461000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"file size",
"b file",
"detections file",
"gzip chrome",
"cache entry",
"graph",
"ip detections",
"country",
"domains",
"internet domain",
"service bs",
"corp",
"namecheap inc",
"csc corporate",
"tucows",
"epik llc",
"tucows domains"
],
"references": [
"https://www.searchw3.com/",
"IP\u2019s Contacted: 192.124.249.187",
"Ransomware: message.htm.com",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 73,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3731,
"URL": 11926,
"hostname": 4626,
"domain": 4135,
"FileHash-MD5": 1530,
"FileHash-SHA1": 762,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 26747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 234,
"modified_text": "664 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b4624c5bb71879020ceb1c",
"name": "Spyware | Ransomware | Direct Search Network | Trellian",
"description": "Large, hard to believe fraudulent threat network. Fraud services from private investigators to attorneys. Social engineering by phone, email, sponsored advertising, malvertizing, remote attacks. tracking, in person, emails, surveys, text, ongoing espionage campaigns, info stealing, cyber attacks, arrange in person meetings , identified as 'gang stalking' by detective, service staging. Very real. Bad actors take advantage of targets devices installing overlays on windows,android. iOS. Targets can only see what adversary wants seen.\n\nLarge threat network in Colorado and abroad.\nScreenshot: https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://1redirc.com/r2.php\nCouldn't submit 1st pulse. contacted, spyware, phishing,trojan, registrar abuse",
"modified": "2024-02-26T01:04:33.201000",
"created": "2024-01-27T01:54:20.513000",
"tags": [
"no expiration",
"expiration",
"url https",
"filehashmd5",
"ipv4",
"filehashsha1",
"filehashsha256",
"domain",
"url http",
"iocs",
"next",
"hostname",
"scan endpoints",
"all scoreblue",
"pdf report",
"pcap"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3010,
"FileHash-MD5": 1902,
"FileHash-SHA1": 1467,
"FileHash-SHA256": 2664,
"domain": 1195,
"hostname": 1802,
"email": 27,
"SSLCertFingerprint": 9
},
"indicator_count": 12076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "825 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b474c9c9bed0cdd00a9480",
"name": "Spyware | Ransomware | Threat & Direct Search Network | Trellian",
"description": "",
"modified": "2024-02-26T01:04:33.201000",
"created": "2024-01-27T03:13:13.978000",
"tags": [
"no expiration",
"expiration",
"url https",
"filehashmd5",
"ipv4",
"filehashsha1",
"filehashsha256",
"domain",
"url http",
"iocs",
"next",
"hostname",
"scan endpoints",
"all scoreblue",
"pdf report",
"pcap"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65b4624c5bb71879020ceb1c",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3010,
"FileHash-MD5": 1902,
"FileHash-SHA1": 1467,
"FileHash-SHA256": 2664,
"domain": 1195,
"hostname": 1802,
"email": 27,
"SSLCertFingerprint": 9
},
"indicator_count": 12076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "825 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b86568e1eaace7d9f062b4",
"name": "Tags auto populated in original Threat Network pulse missing",
"description": "",
"modified": "2024-02-26T01:04:33.201000",
"created": "2024-01-30T02:56:40.484000",
"tags": [
"no expiration",
"expiration",
"url https",
"filehashmd5",
"ipv4",
"filehashsha1",
"filehashsha256",
"domain",
"url http",
"iocs",
"next",
"hostname",
"scan endpoints",
"all scoreblue",
"pdf report",
"pcap"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3010,
"FileHash-MD5": 1902,
"FileHash-SHA1": 1467,
"FileHash-SHA256": 2664,
"domain": 1195,
"hostname": 1802,
"email": 27,
"SSLCertFingerprint": 9
},
"indicator_count": 12076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "825 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65b865697c59050da541247f",
"name": "Tags auto populated in original Threat Network pulse missing",
"description": "",
"modified": "2024-02-26T01:04:33.201000",
"created": "2024-01-30T02:56:41.045000",
"tags": [
"no expiration",
"expiration",
"url https",
"filehashmd5",
"ipv4",
"filehashsha1",
"filehashsha256",
"domain",
"url http",
"iocs",
"next",
"hostname",
"scan endpoints",
"all scoreblue",
"pdf report",
"pcap"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3010,
"FileHash-MD5": 1902,
"FileHash-SHA1": 1467,
"FileHash-SHA256": 2664,
"domain": 1195,
"hostname": 1802,
"email": 27,
"SSLCertFingerprint": 9
},
"indicator_count": 12076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "825 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657ab025b97f20f31bbfcd70",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-14T07:35:01.537000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 512,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "869 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657c03432f4f2997c7d3aff4",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-15T07:41:55.972000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657ab025b97f20f31bbfcd70",
"export_count": 508,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "869 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657c045ef15bd06d27da1b08",
"name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-15T07:46:38.664000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657c03432f4f2997c7d3aff4",
"export_count": 508,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "869 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658dd341d97d04b0253392d4",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-28T19:57:53.875000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657ab025b97f20f31bbfcd70",
"export_count": 522,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "869 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "658ef8c00492cc6bdaa8b605",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-29T16:50:08.330000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "658dd341d97d04b0253392d4",
"export_count": 518,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 237,
"modified_text": "869 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "659d6ae800440c0befb47e22",
"name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2024-01-09T15:48:56.676000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657c045ef15bd06d27da1b08",
"export_count": 250,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "869 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657aaff046e2083b423a39e2",
"name": "Inmortal Invoke-Mimikatz",
"description": "Attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life uncomfortable, threaten and cause harm to targets.\nPossible masquerading / DBA as attorney with such illegal behavior.\nMay have been hired to harass and...she is reported dead of suicide morning after reporting harassment. Missouri government is seen throughout as if hired by firm. If this is a true law firm , the corruption is mafia deep. \n\nI'm 24/7 followed. Hacked l, etc. \nVery expensive threat and deliver campaign. Verdict: Digital profile completely destroyed. Lives at risk.",
"modified": "2024-01-12T04:02:22.872000",
"created": "2023-12-14T07:34:08.701000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 438,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1995,
"hostname": 3222,
"URL": 7179,
"FileHash-MD5": 2749,
"FileHash-SHA1": 1538,
"FileHash-SHA256": 4661,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 21381,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "870 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65715ad29ac565164664960b",
"name": "InstallMate",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-07T05:40:34.888000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 210,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "876 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65715b49b95c13605856d6d0",
"name": "Lazarus Group _ 192.229.211.108",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-07T05:42:33.281000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65715ad29ac565164664960b",
"export_count": 210,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "876 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6572622bba87d8d105a7259f",
"name": "Lazarus Group _ 192.229.211.108",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-08T00:24:11.801000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65715b49b95c13605856d6d0",
"export_count": 234,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 234,
"modified_text": "876 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6562908e28e6cdc237fbf8db",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2023-12-26T00:03:03.925000",
"created": "2023-11-26T00:25:50.529000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 83,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3751,
"URL": 10878,
"domain": 2914,
"hostname": 3520,
"CVE": 16
},
"indicator_count": 23902,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "887 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "656aafce24b001cba328dcbc",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2023-12-26T00:03:03.925000",
"created": "2023-12-02T04:17:18.188000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6562908e28e6cdc237fbf8db",
"export_count": 78,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3751,
"URL": 10878,
"domain": 2914,
"hostname": 3520,
"CVE": 16
},
"indicator_count": 23902,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "887 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655f6d7ac217661e4bc37f4d",
"name": "Qbot | Miscellaneous Attacks",
"description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.",
"modified": "2023-12-23T07:03:55.171000",
"created": "2023-11-23T15:19:22.356000",
"tags": [
"pattern match",
"ascii text",
"file",
"jpeg image",
"exif standard",
"tiff image",
"png image",
"united",
"baseline",
"rgba",
"date",
"class",
"unknown",
"hybrid",
"accept",
"local",
"click",
"strings",
"generator",
"critical",
"error",
"firehol",
"detection list",
"ip address",
"blacklist",
"botnet command",
"control server",
"noname057",
"facebook",
"phishtank",
"blacklist http",
"organization",
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"n64xtx0vpihxzc",
"whois whois",
"qpyrn6pd http",
"referrer",
"execution",
"communicating",
"core",
"discord",
"hiddentear",
"metro",
"probe",
"ransomexx",
"quasar",
"asyncrat",
"bleachgap",
"formbook",
"nanocore",
"roblox",
"heur",
"cyber threat",
"engineering",
"malware",
"phishing",
"malicious site",
"phishing site",
"covid19",
"team",
"bank",
"cobalt strike",
"artemis",
"download",
"zbot",
"suppobox",
"service",
"downloader",
"virut",
"malicious",
"emotet",
"stealer",
"exploit",
"generic",
"dropper",
"unruy",
"agent",
"unsafe",
"ramnit",
"redline stealer",
"smsspy",
"bradesco",
"fakealert",
"qakbot",
"outbreak",
"qbot",
"bankerx",
"riskware",
"nimda",
"swrort",
"adwind",
"trojanx",
"crack",
"win64",
"squirrelwaffle",
"pony",
"binder",
"virustotal",
"azorult",
"zeus",
"nymaim",
"matsnu",
"simda",
"runescape",
"cutwail",
"dnspionage",
"redirector",
"fusioncore",
"iframe",
"killav",
"raccoon",
"daum",
"installcore",
"ransomware",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"presenoker",
"downldr",
"alexa",
"applicunwnt",
"opencandy",
"cleaner",
"wacatac",
"xrat",
"xtrat",
"dbatloader",
"infy",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"phish",
"deepscan",
"trojanspy",
"maltiverse",
"qpyrn6pd",
"spyware",
"injector",
"jul jan",
"tag count",
"tue jan",
"threat report",
"ip summary",
"url summary",
"summary",
"sample"
],
"references": [
"https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658",
"http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]",
"*otc.greatcall.com [Botnetwork]",
"https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]",
"tulach.cc. [Malevolent | Modified description]",
"https://tulach.cc/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]",
"https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]",
"s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]"
],
"public": 1,
"adversary": "Qbot",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Roblox",
"display_name": "Roblox",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 897,
"FileHash-SHA1": 479,
"URL": 9847,
"domain": 2344,
"hostname": 2398,
"CVE": 22,
"FileHash-SHA256": 4712
},
"indicator_count": 20699,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "890 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655f6d89b33758a190399f39",
"name": "Qbot | Miscellaneous Attacks",
"description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.",
"modified": "2023-12-23T07:03:55.171000",
"created": "2023-11-23T15:19:37.838000",
"tags": [
"pattern match",
"ascii text",
"file",
"jpeg image",
"exif standard",
"tiff image",
"png image",
"united",
"baseline",
"rgba",
"date",
"class",
"unknown",
"hybrid",
"accept",
"local",
"click",
"strings",
"generator",
"critical",
"error",
"firehol",
"detection list",
"ip address",
"blacklist",
"botnet command",
"control server",
"noname057",
"facebook",
"phishtank",
"blacklist http",
"organization",
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"n64xtx0vpihxzc",
"whois whois",
"qpyrn6pd http",
"referrer",
"execution",
"communicating",
"core",
"discord",
"hiddentear",
"metro",
"probe",
"ransomexx",
"quasar",
"asyncrat",
"bleachgap",
"formbook",
"nanocore",
"roblox",
"heur",
"cyber threat",
"engineering",
"malware",
"phishing",
"malicious site",
"phishing site",
"covid19",
"team",
"bank",
"cobalt strike",
"artemis",
"download",
"zbot",
"suppobox",
"service",
"downloader",
"virut",
"malicious",
"emotet",
"stealer",
"exploit",
"generic",
"dropper",
"unruy",
"agent",
"unsafe",
"ramnit",
"redline stealer",
"smsspy",
"bradesco",
"fakealert",
"qakbot",
"outbreak",
"qbot",
"bankerx",
"riskware",
"nimda",
"swrort",
"adwind",
"trojanx",
"crack",
"win64",
"squirrelwaffle",
"pony",
"binder",
"virustotal",
"azorult",
"zeus",
"nymaim",
"matsnu",
"simda",
"runescape",
"cutwail",
"dnspionage",
"redirector",
"fusioncore",
"iframe",
"killav",
"raccoon",
"daum",
"installcore",
"ransomware",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"presenoker",
"downldr",
"alexa",
"applicunwnt",
"opencandy",
"cleaner",
"wacatac",
"xrat",
"xtrat",
"dbatloader",
"infy",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"phish",
"deepscan",
"trojanspy",
"maltiverse",
"qpyrn6pd",
"spyware",
"injector",
"jul jan",
"tag count",
"tue jan",
"threat report",
"ip summary",
"url summary",
"summary",
"sample"
],
"references": [
"https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658",
"http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]",
"*otc.greatcall.com [Botnetwork]",
"https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]",
"tulach.cc. [Malevolent | Modified description]",
"https://tulach.cc/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]",
"https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]",
"s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]"
],
"public": 1,
"adversary": "Qbot",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Roblox",
"display_name": "Roblox",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 84,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 897,
"FileHash-SHA1": 479,
"URL": 9847,
"domain": 2344,
"hostname": 2398,
"CVE": 22,
"FileHash-SHA256": 4712
},
"indicator_count": 20699,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "890 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655f6edffd3910161c2ad1a2",
"name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert",
"description": "",
"modified": "2023-12-23T07:03:55.171000",
"created": "2023-11-23T15:25:19.843000",
"tags": [
"pattern match",
"ascii text",
"file",
"jpeg image",
"exif standard",
"tiff image",
"png image",
"united",
"baseline",
"rgba",
"date",
"class",
"unknown",
"hybrid",
"accept",
"local",
"click",
"strings",
"generator",
"critical",
"error",
"firehol",
"detection list",
"ip address",
"blacklist",
"botnet command",
"control server",
"noname057",
"facebook",
"phishtank",
"blacklist http",
"organization",
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"n64xtx0vpihxzc",
"whois whois",
"qpyrn6pd http",
"referrer",
"execution",
"communicating",
"core",
"discord",
"hiddentear",
"metro",
"probe",
"ransomexx",
"quasar",
"asyncrat",
"bleachgap",
"formbook",
"nanocore",
"roblox",
"heur",
"cyber threat",
"engineering",
"malware",
"phishing",
"malicious site",
"phishing site",
"covid19",
"team",
"bank",
"cobalt strike",
"artemis",
"download",
"zbot",
"suppobox",
"service",
"downloader",
"virut",
"malicious",
"emotet",
"stealer",
"exploit",
"generic",
"dropper",
"unruy",
"agent",
"unsafe",
"ramnit",
"redline stealer",
"smsspy",
"bradesco",
"fakealert",
"qakbot",
"outbreak",
"qbot",
"bankerx",
"riskware",
"nimda",
"swrort",
"adwind",
"trojanx",
"crack",
"win64",
"squirrelwaffle",
"pony",
"binder",
"virustotal",
"azorult",
"zeus",
"nymaim",
"matsnu",
"simda",
"runescape",
"cutwail",
"dnspionage",
"redirector",
"fusioncore",
"iframe",
"killav",
"raccoon",
"daum",
"installcore",
"ransomware",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"presenoker",
"downldr",
"alexa",
"applicunwnt",
"opencandy",
"cleaner",
"wacatac",
"xrat",
"xtrat",
"dbatloader",
"infy",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"phish",
"deepscan",
"trojanspy",
"maltiverse",
"qpyrn6pd",
"spyware",
"injector",
"jul jan",
"tag count",
"tue jan",
"threat report",
"ip summary",
"url summary",
"summary",
"sample"
],
"references": [
"https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658",
"http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]",
"*otc.greatcall.com [Botnetwork]",
"https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]",
"tulach.cc. [Malevolent | Modified description]",
"https://tulach.cc/ [phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]",
"https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]",
"s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]"
],
"public": 1,
"adversary": "Qbot",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Roblox",
"display_name": "Roblox",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "655f6d89b33758a190399f39",
"export_count": 86,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 897,
"FileHash-SHA1": 479,
"URL": 9847,
"domain": 2344,
"hostname": 2398,
"CVE": 22,
"FileHash-SHA256": 4712
},
"indicator_count": 20699,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "890 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655950034e6ae4650a6b02ce",
"name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4",
"description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]",
"modified": "2023-12-18T23:03:18.732000",
"created": "2023-11-19T00:00:03.258000",
"tags": [
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"contenttype",
"phpsessid",
"cisco umbrella",
"alexa top",
"million",
"safe site",
"site",
"whois record",
"ssl certificate",
"execution",
"dropped",
"whois whois",
"historical ssl",
"copy",
"tsara brashears",
"communicating",
"referrer",
"cobalt strike",
"hacktool",
"emotet",
"download",
"malware",
"malicious",
"critical",
"relic",
"monitoring",
"installer",
"android",
"agent tesla",
"et",
"october",
"contacted",
"threat roundup",
"january",
"cyberstalking",
"attack",
"icmp",
"banker",
"keylogger",
"google llc",
"gc abuse",
"orgid",
"direct",
"whois lookup",
"netrange",
"nethandle",
"net34",
"net340000",
"googl2",
"comment",
"gc",
"dns replication",
"date",
"domain",
"win32 exe",
"driver pro",
"files",
"detections type",
"name",
"optimizer pro",
"javascript",
"text",
"text ip",
"aacr",
"type name",
"email",
"email delivery",
"email fwd",
"delivery status",
"notification",
"name verdict",
"runtime process",
"sha1",
"size",
"localappdata",
"temp",
"prefetch8",
"unicode text",
"type data",
"programfiles",
"win64",
"hybrid",
"click",
"strings",
"youth",
"pe resource",
"apple private",
"data collection",
"hidden privacy",
"threats https",
"legal",
"amazon aws",
"wife happy",
"vhash",
"authentihash",
"ssdeep",
"file type",
"magic pe32",
"intel",
"ms windows",
"trid windows",
"os2 executable",
"compiler",
"delphi",
"sections",
"md5 code",
"data",
"children",
"file size",
"dropped files",
"google update",
"setup sha256",
"kb file"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "GC",
"display_name": "GC",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12901,
"hostname": 4445,
"domain": 3685,
"FileHash-MD5": 197,
"FileHash-SHA256": 5136,
"FileHash-SHA1": 170,
"CIDR": 1,
"email": 2,
"CVE": 4
},
"indicator_count": 26541,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "894 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655aef8a8cc2e0929f2aa5ea",
"name": "Python Initiated Connection | Spyware | Remote Attacks |",
"description": "",
"modified": "2023-12-18T23:03:18.732000",
"created": "2023-11-20T05:32:58.400000",
"tags": [
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"contenttype",
"phpsessid",
"cisco umbrella",
"alexa top",
"million",
"safe site",
"site",
"whois record",
"ssl certificate",
"execution",
"dropped",
"whois whois",
"historical ssl",
"copy",
"tsara brashears",
"communicating",
"referrer",
"cobalt strike",
"hacktool",
"emotet",
"download",
"malware",
"malicious",
"critical",
"relic",
"monitoring",
"installer",
"android",
"agent tesla",
"et",
"october",
"contacted",
"threat roundup",
"january",
"cyberstalking",
"attack",
"icmp",
"banker",
"keylogger",
"google llc",
"gc abuse",
"orgid",
"direct",
"whois lookup",
"netrange",
"nethandle",
"net34",
"net340000",
"googl2",
"comment",
"gc",
"dns replication",
"date",
"domain",
"win32 exe",
"driver pro",
"files",
"detections type",
"name",
"optimizer pro",
"javascript",
"text",
"text ip",
"aacr",
"type name",
"email",
"email delivery",
"email fwd",
"delivery status",
"notification",
"name verdict",
"runtime process",
"sha1",
"size",
"localappdata",
"temp",
"prefetch8",
"unicode text",
"type data",
"programfiles",
"win64",
"hybrid",
"click",
"strings",
"youth",
"pe resource",
"apple private",
"data collection",
"hidden privacy",
"threats https",
"legal",
"amazon aws",
"wife happy",
"vhash",
"authentihash",
"ssdeep",
"file type",
"magic pe32",
"intel",
"ms windows",
"trid windows",
"os2 executable",
"compiler",
"delphi",
"sections",
"md5 code",
"data",
"children",
"file size",
"dropped files",
"google update",
"setup sha256",
"kb file"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "GC",
"display_name": "GC",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655950034e6ae4650a6b02ce",
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 12901,
"hostname": 4445,
"domain": 3685,
"FileHash-MD5": 197,
"FileHash-SHA256": 5136,
"FileHash-SHA1": 170,
"CIDR": 1,
"email": 2,
"CVE": 4
},
"indicator_count": 26541,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "894 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655907b4d8c905f4475d8bcc",
"name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3",
"description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]",
"modified": "2023-12-18T16:03:26.037000",
"created": "2023-11-18T18:51:32.856000",
"tags": [
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"contenttype",
"phpsessid",
"cisco umbrella",
"alexa top",
"million",
"safe site",
"site",
"whois record",
"ssl certificate",
"execution",
"dropped",
"whois whois",
"historical ssl",
"copy",
"tsara brashears",
"communicating",
"referrer",
"cobalt strike",
"hacktool",
"emotet",
"download",
"malware",
"malicious",
"critical",
"relic",
"monitoring",
"installer",
"android",
"agent tesla",
"et"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8650,
"hostname": 3073,
"domain": 2708,
"FileHash-MD5": 118,
"FileHash-SHA256": 3552,
"FileHash-SHA1": 104
},
"indicator_count": 18205,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "894 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655907b9da2479892590b77a",
"name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3",
"description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]",
"modified": "2023-12-18T16:03:26.037000",
"created": "2023-11-18T18:51:37.411000",
"tags": [
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"contenttype",
"phpsessid",
"cisco umbrella",
"alexa top",
"million",
"safe site",
"site",
"whois record",
"ssl certificate",
"execution",
"dropped",
"whois whois",
"historical ssl",
"copy",
"tsara brashears",
"communicating",
"referrer",
"cobalt strike",
"hacktool",
"emotet",
"download",
"malware",
"malicious",
"critical",
"relic",
"monitoring",
"installer",
"android",
"agent tesla",
"et"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8650,
"hostname": 3073,
"domain": 2708,
"FileHash-MD5": 118,
"FileHash-SHA256": 3552,
"FileHash-SHA1": 104
},
"indicator_count": 18205,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "894 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655650c9b2be6cc930c92cf3",
"name": "https://myaccount.uscis.gov/",
"description": "HOW!?!? My device was remotely logged into this account somehow.\nThis is egregious. Silence Threats. I have no connection to this but was contacted by a while ago. I don't know how or why a part of the government would attack a person with a TBI and C1 - S1 Spinal cord injury allegedly caused by Colorado physical therapist and protect him. Why is victim, tracked and unsafe, receiving death threats, monitored, denied medical care, stalked EVERYWHERE. \nEven felons aren't monitored for life. STOP.\nWill this get us killed. Do the right thing.\nGod bless America, purge the government.\nThe truth should set you fee not get you harmed.",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:26:33",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 102,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "896 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655652f6ddcbf952a599cded",
"name": "https://myaccount.uscis.gov/",
"description": "After Mark Montano Md reported alleged acts by Jeffrey Scott Reimer after receiving 'multiple' reports of him aggressively pursuing Brashears, she was contacted, told she violated the Patriot Act by Big O Tires?!! Received letters from the above and harassed for years. Colorado Workers compensation is so corrupt this may be my last post. She was immediately framed , blamed, porn smeared and stalked. Denied medical care , when received died on surgery table, revised and disabled. Even the mafia would tackle only the associates bringing undue negative attention to their own organization.",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:35:50.285000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 100,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "896 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65565477da453c46f05a6ac4",
"name": "BTW VirusTotal - \" interesting files written to disk during execution'",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:42:15.123000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 101,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "896 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655657ca2e402d4f98283de9",
"name": "https://myaccount.uscis.gov/ ",
"description": "",
"modified": "2023-12-16T15:00:49.451000",
"created": "2023-11-16T17:56:26.312000",
"tags": [
"whois record",
"ssl certificate",
"whois whois",
"communicating",
"referrer",
"ip address",
"contacted",
"pe resource",
"historical ssl",
"collections wow",
"cobalt",
"stealer",
"quasar",
"remcos",
"ursnif",
"fabookie",
"name verdict",
"exit",
"node tcp",
"traffic",
"united",
"et tor",
"known tor",
"relayrouter",
"anonymizer",
"tor known",
"tor relayrouter",
"cisco umbrella",
"site",
"safe site",
"heur",
"maltiverse",
"million",
"alexa top",
"unsafe",
"html",
"team",
"riskware",
"malware",
"phishing",
"union",
"bank",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"webtoolbar",
"detection list",
"blacklist http",
"september",
"threat roundup",
"execution",
"metro",
"formbook",
"kgs0",
"kls0",
"blacklist https",
"malicious site",
"malware site",
"phishing site",
"download",
"malicious",
"azorult",
"service",
"runescape",
"facebook",
"genkryptik",
"fuery",
"wacatac",
"alexa",
"dbatloader",
"nanocore rat",
"agent tesla",
"binder",
"dridex",
"hawkeye",
"small",
"netwire",
"trojan",
"redline stealer",
"lumma stealer",
"trojanspy",
"redline",
"lumma",
"tsara brashears",
"whois",
"asn owner",
"highly targeted",
"relacionada",
"lolkek",
"emotet",
"dark power",
"wiper",
"ransomware",
"cobalt strike",
"quasar rat",
"core",
"bitrat",
"hacktool",
"critical",
"copy",
"installer",
"meta",
"as15169 google",
"aaaa",
"a domains",
"videosdewebcams",
"search",
"passive dns",
"urls",
"record value",
"date",
"certificate",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
}
],
"attack_ids": [
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655650c9b2be6cc930c92cf3",
"export_count": 100,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 204,
"FileHash-SHA1": 182,
"FileHash-SHA256": 6268,
"URL": 13989,
"domain": 3229,
"hostname": 4412,
"CVE": 19,
"email": 3
},
"indicator_count": 28306,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "896 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"stagelight.pl (malicious/ pattern match)",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"www.jamesbgriffinlaw.com (malicious host)",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"Colorado maintains a public-facing police misconduct database via the state's",
"tulach.cc. [Malevolent | Modified description]",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net",
"103.233.208.9 (CNC IP)",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"www.hallrender.com (malware hosting)",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]",
"192.124.249.53:80",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]",
"*otc.greatcall.com [Botnetwork]",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"west-sca.duckdns.org",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]",
"api.useragentswitch.com",
"I am very upset. Whoever is doing this is sick.",
"www.socialimages.reputationdatabase.com",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Roksit.net",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"IP\u2019s Contacted: 192.124.249.187",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"Behavior Pattern Match Analysis",
"batchcourtexpressservicesqa.westlaw.com",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"Ransomware: message.htm.com",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://es.pornhat.com/models/the-sex-creator/",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"AS24961 MyLoc Managed IT AG",
"45.159.189.105 (Command and Control)",
"nr-data.net",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"142.250.180.4 (init.ess)",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"apple-aqo.com (1 DNSPod.net)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"https://therahand.com",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"Name : iveins.de Service : connect",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"Files",
"https://support.Apple.com/de",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.roseoubleu.fr/panier (phishing)",
"batchpublicrecords.westlaw.com",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"http://ww1.tsx.org/_fd",
"BinBusyBox: 0x.un5t48l3.host",
"https://applepaydayloans.com/",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"Can the DoD no questions asked target a SA victim",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"http://tracks.theleders.family",
"hallplan.vm05.iveins.de",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"Yara Detections : compromised_site_redirector_fromcharcode",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"https://www.apple.com/sitemap/",
"https://urlscan.io/domain/maxwam.tk",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"init.ess.apple.com (remote hacking)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"Target agreed and complied with all lie detector measures.",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"http://45.159.189.105/bot/regex (Bot Command)",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"apple.com. (malicious version/header)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"Data Analytics",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"dns.google (DNS client services - Doug Cole)",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!",
"https://poemhunter.com/tsara-brashears/",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"http://www.Apple.com/quicktime/download",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"If someone is believed to be a threat they have right to due process.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658",
"government.westlaw.com",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"www.dead-speak.com",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"remote.telegrafix.com (remote hacking)",
"http://mobtrack.trkclk.net",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"192.124.249.187",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"fakecelebporno.com",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"https://meumundogay-com.sexogratis.page/locker",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"apple-dns.net",
"https://www.searchw3.com/",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.Apple.com/quicktime/download/standalone.html",
"emails.redvue.com (apple DNS w/amvima)",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"www.opencandy.com",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"c.oooooooooo.ga (c.apple.com cdn)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"There is fear in silence or speaking out",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"https://account.helix.com/activate/start",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"www42.jhonisdead.com",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"https://hallrender.com/attorney/brian-sabey",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"iamrobert.com Y.A.S.",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"freeimdatingsites.thomasdobo.eu",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"drive.google.com/",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://www.anyxxxtube.net/media/favicon/apple",
"https://tulach.cc/ [phishing]",
"us-west-2.es.amazonaws.com (pslicorp)",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"apex.jquery.com (scammer | works for who?)",
"photos.theleders.family",
"https://www.red-gate.com/products/smartassembly",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"applepaydayloans.com",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators",
"https://www.hallrender.com/attorney/brian-sabey",
"remote.haverhillcc.com (remote hacking)",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"COINBASECARTEL",
"Qbot",
"M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"NSO Pegasus"
],
"malware_families": [
"Win32:malware",
"Other dangerous malware",
"Redline",
"Njrat",
"Alf:heraklezeval:pua:win32/ultradownloads",
"Fakeav.for",
"Trojan.ransom.generickd",
"#hstr:hacktool:win32/mimikatz",
"Win.dropper.njrat-10015886-0",
"Backdoor:asp/chopper.f!dha",
"Trojan.generic",
"Trojan:msil/ranos.a",
"Suppobox",
"Tulach malware",
"Webtoolbar",
"Vitzo",
"Redline stealer",
"Trojan:win32/tiggre",
"Gen:variant.razy",
"Win.packed.msilperseus-9956592-0",
"Nid",
"Skynet",
"Anonymizer",
"Pegasus",
"Hsbc",
"Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat",
"Trojan:win32/tiggre!rfn",
"Atros.upk",
"Msil:agent-dq\\ [trj]",
"Beach research",
"Et",
"Psw.generic13",
"Maltiverse",
"Tel:trojan:win32/emotet",
"Lockbit",
"China telecom",
"Tofsee",
"Artemis",
"Virtool:msil/covent.a",
"Win.trojan.adinstall-2",
"Sonbokli",
"Qbot",
"W32.hack.generic",
"Trojan:win32/wacatac",
"Zbot",
"Backdoor:msil/bladabindi.aj gc!",
"Trojan.ole2.vbs",
"Tel:delphi/obfuscator",
"Luhe.fiha.a",
"Rms",
"Backdoor.mokes",
"Win.packed.fecn-7077459-0",
"Win.packed.generic-9795615-0",
"Worm:win32/netsky",
"Zeus",
"Alf:trojan:win32/formbook",
"Win64:trojanx",
"Ver",
"Keyloggers",
"Proxy",
"Adware.dropware",
"Win.trojan.agent-306281",
"Mirai",
"Trojan:win32/pynamer!rfn",
"Dropper.binder",
"Freemake",
"Trojan:win32/floxif.e",
"Apnic",
"Pua.optimizerpro/pcoptimizerpro",
"Uztuby",
"Sodin ransomware",
"Backdoor:msil/bladabindi.aj",
"Win.trojan.generic-6417450-0",
"Ubot",
"Kelihos",
"Adwaresig [adw] ml.generic",
"Sdbot.caoc",
"Malicious.22a4c0",
"Ml.generic",
"Babar",
"Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar",
"Elf:mirai-gh\\ [trj]",
"Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea",
"Ramnit",
"Laplasclipper",
"Behav",
"Inmortal",
"Win.trojan.generic-9801687-0",
"Gamehack",
"Emotet",
"Gen:variant.zusy",
"Phish.ab",
"Exploit:js/cve-2014-0322",
"Malware.generic",
"Win.malware.bzub-6727003-0",
"Elf:gafgyt-dz\\ [trj]",
"Win32.pdf.alien",
"Relic",
"Mbt",
"Trojan:msil/clipbanker",
"Generic.malware",
"States",
"Tulach",
"Cobalt strike - s0154",
"Other malware",
"Php.exploit.c99-27",
"Win.packed.generic-9795615-0\t.",
"Win.trojan.nanocore-5",
"Lumma",
"Gamehack.dr",
"Gc",
"Generic",
"Slfper:installcore",
"Gen:variant.bulz",
"Virtool:win32/obfuscator.ki",
"Wannacry kill switch",
"#lowfi:siga:trojanspy:msil/keylogger",
"Alf:program:opencandy:remnant",
"Trojanspy",
"Alf:backdoor:msil/noancooe.ka",
"#lowfi:hstr:msil/obfuscator.deepsea",
"Cl0p",
"Legacy.trojan.agent-37025",
"Domains",
"Virtool:msil/covent",
"Win32:malob-db\\ [cryp]",
"Roblox",
"Malware",
"Invoke-mimikatz",
"Cve-2025-11727",
"Redirector",
"Unix.trojan.mirai-5607483-0",
"Trojan.html.agent",
"Win.virus.virlock-6804475-0",
"Qvm20.1.8d80.malware",
"Pws:msil/steam",
"Generic.31fcc75f"
],
"industries": [
"Oil",
"Health",
"Education"
],
"unique_indicators": 247014
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/docs.tw",
"whois": "http://whois.domaintools.com/docs.tw",
"domain": "docs.tw",
"hostname": "admin.docs.tw"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "6a126fcffc60a71dfab01f24",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:32:22.109000",
"created": "2026-05-24T03:26:07.144000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4130,
"URL": 11958,
"hostname": 4644,
"domain": 4304,
"FileHash-MD5": 2256,
"FileHash-SHA1": 1161,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1,
"IPv6": 4,
"IPv4": 6
},
"indicator_count": 28500,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "7 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6a126fcc3620af2edeb95e57",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:26:04.439000",
"created": "2026-05-24T03:26:04.439000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e940361a6e8be7e02ffe5d",
"name": "URL_File_Delivery clone by octoseek",
"description": "",
"modified": "2026-05-22T23:04:42.859000",
"created": "2026-04-22T21:40:06.671000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64d9d1b920c9b43c1885b2e4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1644,
"domain": 386,
"hostname": 535,
"FileHash-SHA256": 609,
"email": 5,
"URI": 9,
"FilePath": 1,
"FileHash-SHA1": 8,
"FileHash-MD5": 24
},
"indicator_count": 3221,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "123 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692d02f096f3ec8b5b507496",
"name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace",
"description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.",
"modified": "2025-12-31T02:01:50.101000",
"created": "2025-12-01T02:52:32.483000",
"tags": [
"business",
"enterprise",
"drive",
"english",
"google drive",
"try drive",
"business small",
"workspace",
"sign",
"strong",
"find",
"life",
"tools",
"protect",
"cloud",
"simple",
"android",
"indonesia",
"video",
"mb download",
"shared may",
"shared",
"learn",
"drive drive",
"name date",
"javascript",
"dynamicloader",
"medium",
"minimal headers",
"high",
"observed get",
"get http",
"united",
"yara rule",
"http",
"write",
"guard",
"malware",
"read c",
"ms windows",
"intel",
"png image",
"rgba",
"pe32",
"get na",
"explorer",
"music",
"virlock",
"media",
"ho chi",
"minh city",
"viet nam",
"storage company",
"limited",
"google",
"address as",
"luutruso",
"cloudflar",
"domain",
"asn15169",
"asn56153",
"asn13335",
"cisco",
"umbrella rank",
"apex domain",
"url https",
"kb stylesheet",
"kb font",
"kb image",
"image",
"kb script",
"november",
"resource path",
"size",
"type mimetype",
"primary request",
"redirect chain",
"kb document",
"urls",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"t1590 gather",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"domain address",
"rsdsq jfu",
"ollydbg ollydbg",
"wireshark",
"external",
"binary file",
"mitre att",
"ck matrix",
"aaaa",
"cong ty",
"co phan",
"code",
"province hcm",
"files",
"ip address",
"request",
"flag",
"country",
"contacted hosts",
"process details",
"link initial",
"t1480 execution",
"domains",
"moved",
"gmt content",
"all ipv4",
"url analysis",
"location viet",
"title",
"error",
"problem",
"url add",
"related nids",
"files location",
"flag united",
"development att",
"name server",
"markmonitor",
"localappdata",
"programfiles",
"edge",
"hyundai",
"social engineering",
".mil",
"hackers",
"phishing eml",
"summary",
"cisco umbrella",
"google safe",
"browsing",
"current dns",
"a record",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links apex",
"transfer",
"b script",
"b stylesheet",
"frame b830",
"b document",
"value",
"december",
"degurafregistry",
"gat object",
"jsl object",
"gapijstiming",
"iframe function",
"domainpath name",
"nid value",
"source level",
"files domain",
"files related",
"tags",
"related tags",
"virustotal",
"foundry",
"pulse otx",
"dark",
"vietnam",
"present aug",
"present nov",
"present jul",
"present sep",
"unknown aaaa",
"search",
"name servers",
"present oct",
"trojan",
"data upload",
"extraction",
"se https",
"include review",
"exclude sugges",
"find s",
"failed",
"typ don",
"faith",
"study",
"romeo\u2019s",
"juliettes",
"femme fatales",
"strategy",
"honey pot",
"honey traps",
"spy",
"helix",
"anons",
"passive dns",
"pulse pulses",
"files ip",
"address",
"location united",
"asn as400519",
"whois registrar",
"ms defender",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"cameras",
"cams",
"spycam",
"botnet",
"vietnam",
"company limited",
"dnssec",
"status",
"india unknown",
"present may",
"espionage",
"hostname add",
"generic",
"cnc activity",
"backdoor",
"ipv4",
"anonsecbotnet",
"iptv"
],
"references": [
"drive.google.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://account.helix.com/activate/start",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Virus.Virlock-6804475-0",
"display_name": "Win.Virus.Virlock-6804475-0",
"target": null
},
{
"id": "Win.Malware.Bzub-6727003-0",
"display_name": "Win.Malware.Bzub-6727003-0",
"target": null
},
{
"id": "Win.Trojan.Generic-9801687-0",
"display_name": "Win.Trojan.Generic-9801687-0",
"target": null
},
{
"id": "NID",
"display_name": "NID",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ GC!",
"display_name": "Backdoor:MSIL/Bladabindi.AJ GC!",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!"
},
{
"id": "Win.Packed.Generic-9795615-0\t.",
"display_name": "Win.Packed.Generic-9795615-0\t.",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ",
"display_name": "Backdoor:MSIL/Bladabindi.AJ",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ"
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.KA",
"display_name": "ALF:Backdoor:MSIL/Noancooe.KA",
"target": null
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "Trojan:MSIL/ClipBanker",
"display_name": "Trojan:MSIL/ClipBanker",
"target": "/malware/Trojan:MSIL/ClipBanker"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1039",
"name": "Data from Network Shared Drive",
"display_name": "T1039 - Data from Network Shared Drive"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"display_name": "T1567.002 - Exfiltration to Cloud Storage"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1911,
"hostname": 714,
"FileHash-SHA256": 1304,
"FileHash-MD5": 159,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 2,
"domain": 421,
"CVE": 1,
"email": 4
},
"indicator_count": 4587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "190 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "http://admin.docs.tw",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "http://admin.docs.tw",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780237509.4387503
}