{ "type": "URL", "indicator": "https://20.apidocs.cloudendpointsapis.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://20.apidocs.cloudendpointsapis.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2992536601, "indicator": "https://20.apidocs.cloudendpointsapis.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 32, "pulses": [ { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665182d791bfc08412ec2c0a", "name": "Shadow Pad | Appears as investigation of an infirmed non criminal", "description": "ShadowPad is a modular backdoor attack platform that uses an ecosystem of plugins. It stealthily infiltrates target systems and provides attackers with capabilities to gather data execute commands, interacts with the file system and registry, and deploys new modules to extend functionality controlling the compromised systems remotely.\n\nElderly ill target cannot summon help.\n*Forced Updates for Google Chrome\n*Browser bar plug-in. \nRedirects calls to OOS phone message who;e call is still dialing\n*Emergency calls are always answered by 'police communication' at every given time of the day there are no police , ambulance, or any help available. They have already left for the day. \n*Nefarious user has on UTC time.\n Merits further investigation.", "modified": "2024-06-24T05:01:31.025000", "created": "2024-05-25T06:19:03.896000", "tags": [ "threat roundup", "historical ssl", "referrer", "socs", "water dybbuk", "a bec", "actor using", "service", "privateloader", "blacknet rat", "shadowpad", "algorithm", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "aaaa", "record type", "ttl value", "cname", "server", "domain status", "google llc", "registrar abuse", "registrar", "admin country", "ca creation", "dnssec", "subdomains", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "first", "name verdict", "falcon sandbox", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "sha1", "sha256", "severity", "ascii text", "hybrid", "local", "click", "strings", "contact", "isoscope", "malicious", "Trojan:PDF/Owaphish.A", "android", "cisco", "show", "create c", "related pulses", "copy", "search", "peter pdf", "modifydate", "hacker playbook", "practical guide", "write", "trojan", "format", "core", "united", "unknown", "passive dns", "scan endpoints", "all scoreblue", "urls", "files", "none related", "miles", "all search", "otx scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "abuse", "pentest", "127.0.0.1" ], "references": [ "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE CVE-2023-3519", "display_name": "RCE CVE-2023-3519", "target": null }, { "id": "Trojan:PDF/Owaphish.A", "display_name": "Trojan:PDF/Owaphish.A", "target": "/malware/Trojan:PDF/Owaphish.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 97, "FileHash-SHA1": 93, "FileHash-SHA256": 822, "domain": 166, "URL": 571, "hostname": 252, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 2012, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "767 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc13594cf21dbe00b94807", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-02-01T21:55:37.581000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "65b85faa9b8e3e1206d7f25c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e6e042a968005f7a5552", "name": "Content Reputation | ET | Botnet | Targeting", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-17T14:40:32.084000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659719b77c383c73c05208a9", "name": "Content Reputation | ET | Botnet | Targeting", "description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-04T20:48:55.431000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0730b6595444a3fdd98", "name": "High Priority \u2206 Virus:Win32/Neshta.A || Yara Detection MAL_Netsha_Mar20_1 , Delphi", "description": "", "modified": "2023-12-06T16:25:23.940000", "created": "2023-12-06T16:25:23.940000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 360, "FileHash-MD5": 441, "FileHash-SHA256": 1564, "domain": 89, "URL": 694, "FileHash-SHA1": 428, "SSLCertFingerprint": 5 }, "indicator_count": 3581, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657098f7a0c84c2c55585e87", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "", "modified": "2023-12-06T15:53:27.118000", "created": "2023-12-06T15:53:27.118000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 279, "FileHash-SHA256": 1027, "hostname": 933, "URL": 2201, "FileHash-MD5": 56, "FileHash-SHA1": 51, "email": 2 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657098f2c33d291538754bc7", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "", "modified": "2023-12-06T15:53:22.011000", "created": "2023-12-06T15:53:22.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 279, "FileHash-SHA256": 1027, "hostname": 933, "URL": 2201, "FileHash-MD5": 56, "FileHash-SHA1": 51, "email": 2 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657095a268707bb604d97ccf", "name": "WannaCry, Generic\tCVE-2017-0147 - ARIA - Accessibility css/js abuse", "description": "", "modified": "2023-12-06T15:39:14.144000", "created": "2023-12-06T15:39:14.144000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 119, "hostname": 5, "URL": 25, "domain": 1, "FileHash-MD5": 15, "FileHash-SHA1": 15 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708f1d9c1be22930c7a9ca", "name": "This is a whoopa - vast adware camp using tweets/links/img's but equates to spyware via regular default Services, configs and cloud host", "description": "", "modified": "2023-12-06T15:11:25.389000", "created": "2023-12-06T15:11:25.389000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1341, "CVE": 1, "FileHash-SHA256": 3239, "domain": 1303, "URL": 8470, "FileHash-MD5": 893, "FileHash-SHA1": 795 }, "indicator_count": 16042, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708cf911f044ba6f739580", "name": "Infections start here 91.195.240.226-as47846- SEDO-DE - aid www.bbb.org", "description": "", "modified": "2023-12-06T15:02:16.933000", "created": "2023-12-06T15:02:16.933000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 610, "URL": 1279, "email": 2, "hostname": 375, "domain": 172, "FileHash-MD5": 99, "FileHash-SHA1": 81, "CVE": 1 }, "indicator_count": 2619, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570841ce0f526e54683ab2c", "name": "mesacounty.us_05.21.2019", "description": "", "modified": "2023-12-06T14:24:28.383000", "created": "2023-12-06T14:24:28.383000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 706, "domain": 65, "hostname": 165, "URL": 493, "CIDR": 1, "FileHash-MD5": 6 }, "indicator_count": 1436, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657083ed4fcdc6eded29d59b", "name": "crowdtangle.com 03.29.2017", "description": "", "modified": "2023-12-06T14:23:41.446000", "created": "2023-12-06T14:23:41.446000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 989, "domain": 121, "hostname": 196, "URL": 612, "CIDR": 6, "FileHash-MD5": 4 }, "indicator_count": 1928, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708114a5b73f6d66bce4ba", "name": "DominionVoting.com 03.09.22", "description": "", "modified": "2023-12-06T14:11:32.831000", "created": "2023-12-06T14:11:32.831000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 2612, "FileHash-SHA256": 1478, "domain": 479, "hostname": 1339, "FileHash-SHA1": 22 }, "indicator_count": 5931, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f09785f9ee8aebca2a667", "name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration", "description": "", "modified": "2023-11-26T14:04:04.692000", "created": "2023-10-30T01:40:08.022000", "tags": [ "ssl certificate", "historical ssl", "resolutions", "referrer", "collections", "contacted", "efr1", "parent domain", "amazon 02", "metro", "crypto", "cisco umbrella", "site", "safe site", "heur", "malware", "alexa top", "million", "malicious url", "malware site", "malicious site", "opencandy", "riskware", "unsafe", "phishing", "zbot", "team", "exploit", "agent", "mimikatz", "azorult", "service", "runescape", "facebook", "bank", "download", "downldr", "presenoker", "fusioncore", "cleaner", "wacatac", "artemis", "blacknet rat", "stealer", "trojanspy", "blacklist https", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag count", "tsara brashears", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "whois record", "contacted urls", "siblings domain", "execution", "goldmax", "goldfinder", "sibot", "emotet", "united", "phishing site", "maltiverse", "adware", "phishtank", "xtrat", "xrat", "redline stealer", "xtreme", "crack", "genkryptik", "deepscan", "win64", "quasar rat", "fareit", "downloader", "trojan", "alexa", "iframe", "cve201711882", "phish", "genpack", "suspicious", "magazine", "applicunwnt", "cobalt strike", "malicious", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "ascii text", "mitre att", "ck id", "date", "unknown", "hybrid", "accept", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "pmejdjsu12", "Royal Bank of Scotland", "Phishing Bank of America Corporation", "Phishing Netflix", "Phishing Wells Fargo", "Phishing RuneScape", "Phishing Internal Revenue Service", "Phtarget unspecified phishing", "PAYPAL phishing", "Phishing Indeed", "Phishing eBay, Inc", "PhisSafe", "mobigame", "Phishing Facebook", "remote", "mitm", "tower", "worm", "firm", "privilege", "attacker", "monitoring", "cyber threat", "apple", "illegal", "DNS_PROBE_STARTED", "insurance", "revenge", "legal entities", "https://boxofporn.com" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan.Hotkeychick", "display_name": "Trojan.Hotkeychick", "target": null }, { "id": "CVE Exploits", "display_name": "CVE Exploits", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Virus.Sality", "display_name": "Virus.Sality", "target": null }, { "id": "W32.Malware", "display_name": "W32.Malware", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "Trojan.OTNR", "display_name": "Trojan.OTNR", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "Downloader.OpenCandy", "display_name": "Downloader.OpenCandy", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "GoogleToolbar", "display_name": "GoogleToolbar", "target": null }, { "id": "BScope.Adware.MSIL", "display_name": "BScope.Adware.MSIL", "target": null }, { "id": "Application.Auslogics", "display_name": "Application.Auslogics", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Gen:Variant.Application.Bundler.DownloadGuide", "display_name": "Gen:Variant.Application.Bundler.DownloadGuide", "target": null }, { "id": "Trojan:Win32/Xtrat", "display_name": "Trojan:Win32/Xtrat", "target": "/malware/Trojan:Win32/Xtrat" }, { "id": "Xtreme RAT", "display_name": "Xtreme RAT", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null }, { "id": "AGEN.1045143", "display_name": "AGEN.1045143", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Packed.Themida", "display_name": "Packed.Themida", "target": null }, { "id": "MSIL_Bladabindi.G.gen", "display_name": "MSIL_Bladabindi.G.gen", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Unsafe.AI_Score_95% 2", "display_name": "Unsafe.AI_Score_95% 2", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "JS:Trojan.HideLink 2", "display_name": "JS:Trojan.HideLink 2", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Application.BitCoinMiner", "display_name": "Application.BitCoinMiner", "target": null }, { "id": "WebToolbar.Asparnet", "display_name": "WebToolbar.Asparnet", "target": null }, { "id": "W32.HfsAutoB", "display_name": "W32.HfsAutoB", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Application.Deceptor", "display_name": "Application.Deceptor", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "HEUR:Hoax.PCFixer", "display_name": "HEUR:Hoax.PCFixer", "target": null }, { "id": "Gen:Variant.Jacard", "display_name": "Gen:Variant.Jacard", "target": null }, { "id": "Tool.Patcher", "display_name": "Tool.Patcher", "target": null }, { "id": "Trojan.Khalesi 2\tAdware 2", "display_name": "Trojan.Khalesi 2\tAdware 2", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Unsafe.AI_Score_94%", "display_name": "Unsafe.AI_Score_94%", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Warezov.gen3", "display_name": "Warezov.gen3", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Nemucod.21C8", "display_name": "Nemucod.21C8", "target": null }, { "id": "Asparnet.P", "display_name": "Asparnet.P", "target": null }, { "id": "InstallCore.Gen7", "display_name": "InstallCore.Gen7", "target": null }, { "id": "CsQKHtaAI", "display_name": "CsQKHtaAI", "target": null }, { "id": "Clicker.VB", "display_name": "Clicker.VB", "target": null }, { "id": "Exploit.Zip.Heuristic", "display_name": "Exploit.Zip.Heuristic", "target": null }, { "id": "Trojan.Ransom.GandCrab", "display_name": "Trojan.Ransom.GandCrab", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "ScrInject.eric", "display_name": "ScrInject.eric", "target": null }, { "id": "HEUR:Trojan.Diztakun", "display_name": "HEUR:Trojan.Diztakun", "target": null }, { "id": "Agent.OCJ", "display_name": "Agent.OCJ", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "Hacktool.Crack", "display_name": "Hacktool.Crack", "target": null }, { "id": "Backdoor.DTR.15", "display_name": "Backdoor.DTR.15", "target": null }, { "id": "Freemake.A potentially unwanted", "display_name": "Freemake.A potentially unwanted", "target": null }, { "id": "Absolute Uninstaller", "display_name": "Absolute Uninstaller", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "Trojan.Small", "display_name": "Trojan.Small", "target": null }, { "id": "HackTool.Crack", "display_name": "HackTool.Crack", "target": null }, { "id": "Generic.Application.JS.Sobrab.1", "display_name": "Generic.Application.JS.Sobrab.1", "target": null }, { "id": "Trojan.Rozena", "display_name": "Trojan.Rozena", "target": null }, { "id": "Trojan.Downloader", "display_name": "Trojan.Downloader", "target": null }, { "id": "Trojan.Bayrob", "display_name": "Trojan.Bayrob", "target": null }, { "id": "Adware.OxyPumper", "display_name": "Adware.OxyPumper", "target": null }, { "id": "Worm.Chir", "display_name": "Worm.Chir", "target": null }, { "id": "Trojan.Linux.Generic", "display_name": "Trojan.Linux.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Heur.BZC.YAX.Boxter.819", "display_name": "Heur.BZC.YAX.Boxter.819", "target": null }, { "id": "Faceliker.D", "display_name": "Faceliker.D", "target": null }, { "id": "Adware", "display_name": "Adware", "target": null }, { "id": "DeepScan:Generic.BrResMon.1", "display_name": "DeepScan:Generic.BrResMon.1", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "Trojan.Brsecmon", "display_name": "Trojan.Brsecmon", "target": null }, { "id": "SigRiskware.LespeedTechnologyLtd", "display_name": "SigRiskware.LespeedTechnologyLtd", "target": null }, { "id": "Doplik.J", "display_name": "Doplik.J", "target": null }, { "id": "Backdoor.Nhopro", "display_name": "Backdoor.Nhopro", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "Gen:NN.ZemsilF.32515", "display_name": "Gen:NN.ZemsilF.32515", "target": null }, { "id": "Downware", "display_name": "Downware", "target": null }, { "id": "MxResIcn.Heur", "display_name": "MxResIcn.Heur", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "Magazine phishing", "display_name": "Magazine phishing", "target": null }, { "id": "ApplicUnwnt@#2n6\tIRS", "display_name": "ApplicUnwnt@#2n6\tIRS", "target": null }, { "id": "TEL:Trojan:HTML/Phishing", "display_name": "TEL:Trojan:HTML/Phishing", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Trojan.GandCrypt", "display_name": "Trojan.GandCrypt", "target": null }, { "id": "Redirector.AN", "display_name": "Redirector.AN", "target": null }, { "id": "Agent.CUX.gen", "display_name": "Agent.CUX.gen", "target": null }, { "id": "Gen:Variant.Application.Bundler", "display_name": "Gen:Variant.Application.Bundler", "target": null }, { "id": "Downloader.Generic", "display_name": "Downloader.Generic", "target": null }, { "id": "Trojan.ClipBanker", "display_name": "Trojan.ClipBanker", "target": null }, { "id": "TrojanDropper.Autit", "display_name": "TrojanDropper.Autit", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "QVM05.1.08E5.Malware", "display_name": "QVM05.1.08E5.Malware", "target": null }, { "id": "Trojan.CookiesStealer", "display_name": "Trojan.CookiesStealer", "target": null }, { "id": "Agent.MU", "display_name": "Agent.MU", "target": null }, { "id": "Wacatac.B", "display_name": "Wacatac.B", "target": null }, { "id": "Dropper.Gen", "display_name": "Dropper.Gen", "target": null }, { "id": "WiseCleaner.A potentially unwanted", "display_name": "WiseCleaner.A potentially unwanted", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Gen:NN.ZemsilF.34170", "display_name": "Gen:NN.ZemsilF.34170", "target": null }, { "id": "Gen:Variant.MSILHeracles", "display_name": "Gen:Variant.MSILHeracles", "target": null }, { "id": "Trojan.DownLoader33", "display_name": "Trojan.DownLoader33", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Program.Freemake", "display_name": "Program.Freemake", "target": null }, { "id": "Kryptik.dawvk", "display_name": "Kryptik.dawvk", "target": null }, { "id": "AdwareSig [Adw]", "display_name": "AdwareSig [Adw]", "target": null }, { "id": "Phishing JPMorgan Chase and Co.", "display_name": "Phishing JPMorgan Chase and Co.", "target": null }, { "id": "Adware.BrowseFoxCRTD", "display_name": "Adware.BrowseFoxCRTD", "target": null }, { "id": "Suspici.1F4405D1", "display_name": "Suspici.1F4405D1", "target": null }, { "id": "PUA.Wombat", "display_name": "PUA.Wombat", "target": null }, { "id": "AdWare.DealPly", "display_name": "AdWare.DealPly", "target": null }, { "id": "Injector.CUAM", "display_name": "Injector.CUAM", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "Troj_Gen.F04IE00CI19", "display_name": "Troj_Gen.F04IE00CI19", "target": null }, { "id": "Worm.Autorun", "display_name": "Worm.Autorun", "target": null }, { "id": "Worm.Boychi", "display_name": "Worm.Boychi", "target": null }, { "id": "Worm.Allaple", "display_name": "Worm.Allaple", "target": null }, { "id": "CVE-2014-3153", "display_name": "CVE-2014-3153", "target": null }, { "id": "BehavesLike.ICLoader", "display_name": "BehavesLike.ICLoader", "target": null }, { "id": "BScope.Backdoor", "display_name": "BScope.Backdoor", "target": null }, { "id": "Trojan.WIN32.PDF.Alien", "display_name": "Trojan.WIN32.PDF.Alien", "target": null }, { "id": "PUP.Systweak", "display_name": "PUP.Systweak", "target": null }, { "id": "Sabsik.FL.B", "display_name": "Sabsik.FL.B", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Gen:Variant.Tedy HackTool.VulnDriver", "display_name": "Gen:Variant.Tedy HackTool.VulnDriver", "target": null }, { "id": "Backdoor.Predator", "display_name": "Backdoor.Predator", "target": null }, { "id": "Kryptik.GKQR", "display_name": "Kryptik.GKQR", "target": null }, { "id": "DarkKomet.ife", "display_name": "DarkKomet.ife", "target": null }, { "id": "BehavesLike.Downloader", "display_name": "BehavesLike.Downloader", "target": null }, { "id": "Trojan.JS.Iframe", "display_name": "Trojan.JS.Iframe", "target": null }, { "id": "InstallCore.NP", "display_name": "InstallCore.NP", "target": null }, { "id": "Generic.JS.BlackHole", "display_name": "Generic.JS.BlackHole", "target": null }, { "id": "Dropper.Wanna", "display_name": "Dropper.Wanna", "target": null }, { "id": "Remote Utilities", "display_name": "Remote Utilities", "target": null }, { "id": "W32.InstallCore.AGX", "display_name": "W32.InstallCore.AGX", "target": null }, { "id": "NetTool.RemoteExec", "display_name": "NetTool.RemoteExec", "target": null }, { "id": "Bondat.A", "display_name": "Bondat.A", "target": null }, { "id": "VM201.0.B70B.Malware", "display_name": "VM201.0.B70B.Malware", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "Infected.WebPage", "display_name": "Infected.WebPage", "target": null }, { "id": "HEUR:Exploit.Script", "display_name": "HEUR:Exploit.Script", "target": null }, { "id": "BScope.TrojanDownloader", "display_name": "BScope.TrojanDownloader", "target": null }, { "id": "HTML:RedirBA", "display_name": "HTML:RedirBA", "target": null }, { "id": "Trojan.BAT.Qhost", "display_name": "Trojan.BAT.Qhost", "target": null }, { "id": "HTML:RedirME", "display_name": "HTML:RedirME", "target": null }, { "id": "TrojWare.JS.AdWare.Agent", "display_name": "TrojWare.JS.AdWare.Agent", "target": null }, { "id": "Packed.Dico", "display_name": "Packed.Dico", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1602.001", "name": "SNMP (MIB Dump)", "display_name": "T1602.001 - SNMP (MIB Dump)" } ], "industries": [], "TLP": "white", "cloned_from": "653bf3b076e4dbcd0c099992", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1695, "FileHash-SHA1": 756, "FileHash-SHA256": 2029, "domain": 290, "URL": 1854, "hostname": 568, "CVE": 5 }, "indicator_count": 7197, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "875 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653bf3b076e4dbcd0c099992", "name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration", "description": "DeepScan run (absolute overkill). I witnessed excessive data use, device is completely practically unusable, many black pages, denial of most services. CNC. Browser bar became a malicious app that returns 0 searches. Attack directed towards my devices.\nNo stone left unturned. Passwords taken. Apps installed to device Covered can on device takes pictures/flash at will. Evasive. Very talented hackers. \nBravo! Very intrusive. Constantly attacking.\nTarget: Tsara Brashears and researcher", "modified": "2023-11-26T14:04:04.692000", "created": "2023-10-27T17:30:24.926000", "tags": [ "ssl certificate", "historical ssl", "resolutions", "referrer", "collections", "contacted", "efr1", "parent domain", "amazon 02", "metro", "crypto", "cisco umbrella", "site", "safe site", "heur", "malware", "alexa top", "million", "malicious url", "malware site", "malicious site", "opencandy", "riskware", "unsafe", "phishing", "zbot", "team", "exploit", "agent", "mimikatz", "azorult", "service", "runescape", "facebook", "bank", "download", "downldr", "presenoker", "fusioncore", "cleaner", "wacatac", "artemis", "blacknet rat", "stealer", "trojanspy", "blacklist https", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag count", "tsara brashears", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "whois record", "contacted urls", "siblings domain", "execution", "goldmax", "goldfinder", "sibot", "emotet", "united", "phishing site", "maltiverse", "adware", "phishtank", "xtrat", "xrat", "redline stealer", "xtreme", "crack", "genkryptik", "deepscan", "win64", "quasar rat", "fareit", "downloader", "trojan", "alexa", "iframe", "cve201711882", "phish", "genpack", "suspicious", "magazine", "applicunwnt", "cobalt strike", "malicious", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "ascii text", "mitre att", "ck id", "date", "unknown", "hybrid", "accept", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "pmejdjsu12", "Royal Bank of Scotland", "Phishing Bank of America Corporation", "Phishing Netflix", "Phishing Wells Fargo", "Phishing RuneScape", "Phishing Internal Revenue Service", "Phtarget unspecified phishing", "PAYPAL phishing", "Phishing Indeed", "Phishing eBay, Inc", "PhisSafe", "mobigame", "Phishing Facebook", "remote", "mitm", "tower", "worm", "firm", "privilege", "attacker", "monitoring", "cyber threat", "apple", "illegal", "DNS_PROBE_STARTED", "insurance", "revenge", "legal entities", "https://boxofporn.com" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan.Hotkeychick", "display_name": "Trojan.Hotkeychick", "target": null }, { "id": "CVE Exploits", "display_name": "CVE Exploits", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Virus.Sality", "display_name": "Virus.Sality", "target": null }, { "id": "W32.Malware", "display_name": "W32.Malware", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "Trojan.OTNR", "display_name": "Trojan.OTNR", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "Downloader.OpenCandy", "display_name": "Downloader.OpenCandy", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "GoogleToolbar", "display_name": "GoogleToolbar", "target": null }, { "id": "BScope.Adware.MSIL", "display_name": "BScope.Adware.MSIL", "target": null }, { "id": "Application.Auslogics", "display_name": "Application.Auslogics", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Gen:Variant.Application.Bundler.DownloadGuide", "display_name": "Gen:Variant.Application.Bundler.DownloadGuide", "target": null }, { "id": "Trojan:Win32/Xtrat", "display_name": "Trojan:Win32/Xtrat", "target": "/malware/Trojan:Win32/Xtrat" }, { "id": "Xtreme RAT", "display_name": "Xtreme RAT", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null }, { "id": "AGEN.1045143", "display_name": "AGEN.1045143", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Packed.Themida", "display_name": "Packed.Themida", "target": null }, { "id": "MSIL_Bladabindi.G.gen", "display_name": "MSIL_Bladabindi.G.gen", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Unsafe.AI_Score_95% 2", "display_name": "Unsafe.AI_Score_95% 2", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "JS:Trojan.HideLink 2", "display_name": "JS:Trojan.HideLink 2", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Application.BitCoinMiner", "display_name": "Application.BitCoinMiner", "target": null }, { "id": "WebToolbar.Asparnet", "display_name": "WebToolbar.Asparnet", "target": null }, { "id": "W32.HfsAutoB", "display_name": "W32.HfsAutoB", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Application.Deceptor", "display_name": "Application.Deceptor", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "HEUR:Hoax.PCFixer", "display_name": "HEUR:Hoax.PCFixer", "target": null }, { "id": "Gen:Variant.Jacard", "display_name": "Gen:Variant.Jacard", "target": null }, { "id": "Tool.Patcher", "display_name": "Tool.Patcher", "target": null }, { "id": "Trojan.Khalesi 2\tAdware 2", "display_name": "Trojan.Khalesi 2\tAdware 2", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Unsafe.AI_Score_94%", "display_name": "Unsafe.AI_Score_94%", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Warezov.gen3", "display_name": "Warezov.gen3", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Nemucod.21C8", "display_name": "Nemucod.21C8", "target": null }, { "id": "Asparnet.P", "display_name": "Asparnet.P", "target": null }, { "id": "InstallCore.Gen7", "display_name": "InstallCore.Gen7", "target": null }, { "id": "CsQKHtaAI", "display_name": "CsQKHtaAI", "target": null }, { "id": "Clicker.VB", "display_name": "Clicker.VB", "target": null }, { "id": "Exploit.Zip.Heuristic", "display_name": "Exploit.Zip.Heuristic", "target": null }, { "id": "Trojan.Ransom.GandCrab", "display_name": "Trojan.Ransom.GandCrab", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "ScrInject.eric", "display_name": "ScrInject.eric", "target": null }, { "id": "HEUR:Trojan.Diztakun", "display_name": "HEUR:Trojan.Diztakun", "target": null }, { "id": "Agent.OCJ", "display_name": "Agent.OCJ", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "Hacktool.Crack", "display_name": "Hacktool.Crack", "target": null }, { "id": "Backdoor.DTR.15", "display_name": "Backdoor.DTR.15", "target": null }, { "id": "Freemake.A potentially unwanted", "display_name": "Freemake.A potentially unwanted", "target": null }, { "id": "Absolute Uninstaller", "display_name": "Absolute Uninstaller", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "Trojan.Small", "display_name": "Trojan.Small", "target": null }, { "id": "HackTool.Crack", "display_name": "HackTool.Crack", "target": null }, { "id": "Generic.Application.JS.Sobrab.1", "display_name": "Generic.Application.JS.Sobrab.1", "target": null }, { "id": "Trojan.Rozena", "display_name": "Trojan.Rozena", "target": null }, { "id": "Trojan.Downloader", "display_name": "Trojan.Downloader", "target": null }, { "id": "Trojan.Bayrob", "display_name": "Trojan.Bayrob", "target": null }, { "id": "Adware.OxyPumper", "display_name": "Adware.OxyPumper", "target": null }, { "id": "Worm.Chir", "display_name": "Worm.Chir", "target": null }, { "id": "Trojan.Linux.Generic", "display_name": "Trojan.Linux.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Heur.BZC.YAX.Boxter.819", "display_name": "Heur.BZC.YAX.Boxter.819", "target": null }, { "id": "Faceliker.D", "display_name": "Faceliker.D", "target": null }, { "id": "Adware", "display_name": "Adware", "target": null }, { "id": "DeepScan:Generic.BrResMon.1", "display_name": "DeepScan:Generic.BrResMon.1", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "Trojan.Brsecmon", "display_name": "Trojan.Brsecmon", "target": null }, { "id": "SigRiskware.LespeedTechnologyLtd", "display_name": "SigRiskware.LespeedTechnologyLtd", "target": null }, { "id": "Doplik.J", "display_name": "Doplik.J", "target": null }, { "id": "Backdoor.Nhopro", "display_name": "Backdoor.Nhopro", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "Gen:NN.ZemsilF.32515", "display_name": "Gen:NN.ZemsilF.32515", "target": null }, { "id": "Downware", "display_name": "Downware", "target": null }, { "id": "MxResIcn.Heur", "display_name": "MxResIcn.Heur", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "Magazine phishing", "display_name": "Magazine phishing", "target": null }, { "id": "ApplicUnwnt@#2n6\tIRS", "display_name": "ApplicUnwnt@#2n6\tIRS", "target": null }, { "id": "TEL:Trojan:HTML/Phishing", "display_name": "TEL:Trojan:HTML/Phishing", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Trojan.GandCrypt", "display_name": "Trojan.GandCrypt", "target": null }, { "id": "Redirector.AN", "display_name": "Redirector.AN", "target": null }, { "id": "Agent.CUX.gen", "display_name": "Agent.CUX.gen", "target": null }, { "id": "Gen:Variant.Application.Bundler", "display_name": "Gen:Variant.Application.Bundler", "target": null }, { "id": "Downloader.Generic", "display_name": "Downloader.Generic", "target": null }, { "id": "Trojan.ClipBanker", "display_name": "Trojan.ClipBanker", "target": null }, { "id": "TrojanDropper.Autit", "display_name": "TrojanDropper.Autit", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "QVM05.1.08E5.Malware", "display_name": "QVM05.1.08E5.Malware", "target": null }, { "id": "Trojan.CookiesStealer", "display_name": "Trojan.CookiesStealer", "target": null }, { "id": "Agent.MU", "display_name": "Agent.MU", "target": null }, { "id": "Wacatac.B", "display_name": "Wacatac.B", "target": null }, { "id": "Dropper.Gen", "display_name": "Dropper.Gen", "target": null }, { "id": "WiseCleaner.A potentially unwanted", "display_name": "WiseCleaner.A potentially unwanted", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Gen:NN.ZemsilF.34170", "display_name": "Gen:NN.ZemsilF.34170", "target": null }, { "id": "Gen:Variant.MSILHeracles", "display_name": "Gen:Variant.MSILHeracles", "target": null }, { "id": "Trojan.DownLoader33", "display_name": "Trojan.DownLoader33", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Program.Freemake", "display_name": "Program.Freemake", "target": null }, { "id": "Kryptik.dawvk", "display_name": "Kryptik.dawvk", "target": null }, { "id": "AdwareSig [Adw]", "display_name": "AdwareSig [Adw]", "target": null }, { "id": "Phishing JPMorgan Chase and Co.", "display_name": "Phishing JPMorgan Chase and Co.", "target": null }, { "id": "Adware.BrowseFoxCRTD", "display_name": "Adware.BrowseFoxCRTD", "target": null }, { "id": "Suspici.1F4405D1", "display_name": "Suspici.1F4405D1", "target": null }, { "id": "PUA.Wombat", "display_name": "PUA.Wombat", "target": null }, { "id": "AdWare.DealPly", "display_name": "AdWare.DealPly", "target": null }, { "id": "Injector.CUAM", "display_name": "Injector.CUAM", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "Troj_Gen.F04IE00CI19", "display_name": "Troj_Gen.F04IE00CI19", "target": null }, { "id": "Worm.Autorun", "display_name": "Worm.Autorun", "target": null }, { "id": "Worm.Boychi", "display_name": "Worm.Boychi", "target": null }, { "id": "Worm.Allaple", "display_name": "Worm.Allaple", "target": null }, { "id": "CVE-2014-3153", "display_name": "CVE-2014-3153", "target": null }, { "id": "BehavesLike.ICLoader", "display_name": "BehavesLike.ICLoader", "target": null }, { "id": "BScope.Backdoor", "display_name": "BScope.Backdoor", "target": null }, { "id": "Trojan.WIN32.PDF.Alien", "display_name": "Trojan.WIN32.PDF.Alien", "target": null }, { "id": "PUP.Systweak", "display_name": "PUP.Systweak", "target": null }, { "id": "Sabsik.FL.B", "display_name": "Sabsik.FL.B", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Gen:Variant.Tedy HackTool.VulnDriver", "display_name": "Gen:Variant.Tedy HackTool.VulnDriver", "target": null }, { "id": "Backdoor.Predator", "display_name": "Backdoor.Predator", "target": null }, { "id": "Kryptik.GKQR", "display_name": "Kryptik.GKQR", "target": null }, { "id": "DarkKomet.ife", "display_name": "DarkKomet.ife", "target": null }, { "id": "BehavesLike.Downloader", "display_name": "BehavesLike.Downloader", "target": null }, { "id": "Trojan.JS.Iframe", "display_name": "Trojan.JS.Iframe", "target": null }, { "id": "InstallCore.NP", "display_name": "InstallCore.NP", "target": null }, { "id": "Generic.JS.BlackHole", "display_name": "Generic.JS.BlackHole", "target": null }, { "id": "Dropper.Wanna", "display_name": "Dropper.Wanna", "target": null }, { "id": "Remote Utilities", "display_name": "Remote Utilities", "target": null }, { "id": "W32.InstallCore.AGX", "display_name": "W32.InstallCore.AGX", "target": null }, { "id": "NetTool.RemoteExec", "display_name": "NetTool.RemoteExec", "target": null }, { "id": "Bondat.A", "display_name": "Bondat.A", "target": null }, { "id": "VM201.0.B70B.Malware", "display_name": "VM201.0.B70B.Malware", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "Infected.WebPage", "display_name": "Infected.WebPage", "target": null }, { "id": "HEUR:Exploit.Script", "display_name": "HEUR:Exploit.Script", "target": null }, { "id": "BScope.TrojanDownloader", "display_name": "BScope.TrojanDownloader", "target": null }, { "id": "HTML:RedirBA", "display_name": "HTML:RedirBA", "target": null }, { "id": "Trojan.BAT.Qhost", "display_name": "Trojan.BAT.Qhost", "target": null }, { "id": "HTML:RedirME", "display_name": "HTML:RedirME", "target": null }, { "id": "TrojWare.JS.AdWare.Agent", "display_name": "TrojWare.JS.AdWare.Agent", "target": null }, { "id": "Packed.Dico", "display_name": "Packed.Dico", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1602.001", "name": "SNMP (MIB Dump)", "display_name": "T1602.001 - SNMP (MIB Dump)" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1695, "FileHash-SHA1": 756, "FileHash-SHA256": 2029, "domain": 290, "URL": 1854, "hostname": 568, "CVE": 5 }, "indicator_count": 7197, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "875 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e572236d40e24baf4ad2d0", "name": "High Priority \u2206 Virus:Win32/Neshta.A || Yara Detection MAL_Netsha_Mar20_1 , Delphi", "description": "Win32/Neshta.A is a highly destructive file infector. No permissions. The virus downloads itself without obvious detection. Persistence. Changes default value of registry. The virus searches local drives for files, injection of malice virus code. Can render device a zombie even after all infected files are removed.\nTargets Windows systems.\nPEXE - PE32 executable (GUI) Intel 80386, for MS Windows\nMALICIOUS \nWin32:Apanas\\ [Trj]\nWin.Trojan.Neshuta-1\nVirus:Win32/Neshta.A\nYara Detections\nMAL_Netsha_Mar20_1\nDelphi\nAlerts\nnetwork_icmp\npersistence_autorun\nmodifies_certificates\ninjection_resumethread\ndumped_buffer\nnetwork_http\nsuspicious_tld\nallocates_rwx\ncreates_exe\ndropper", "modified": "2023-09-22T03:02:56.838000", "created": "2023-08-23T02:42:43.850000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1358, "FileHash-SHA1": 1314, "FileHash-SHA256": 6030, "hostname": 558, "domain": 271, "URL": 1145, "SSLCertFingerprint": 15 }, "indicator_count": 10691, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d56620fb6845e22b859e75", "name": "Who is ENOM (DREAMHOST)", "description": "", "modified": "2023-09-11T00:03:40.398000", "created": "2023-08-10T22:35:12.322000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d31d52d54a9591dd717e17", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2544, "domain": 2507, "URL": 2757, "email": 26, "CVE": 25, "FileHash-SHA256": 61, "FileHash-MD5": 9, "FileHash-SHA1": 12 }, "indicator_count": 7941, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "951 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d31d52d54a9591dd717e17", "name": "www.xenu.net", "description": "", "modified": "2023-09-09T22:02:22.224000", "created": "2023-08-09T05:00:02.729000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 685, "domain": 820, "URL": 1219, "email": 8, "CVE": 16, "FileHash-SHA256": 8, "FileHash-MD5": 3, "FileHash-SHA1": 6 }, "indicator_count": 2765, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "952 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d4072c84e5ad274ea361a8", "name": "216.58.193.74", "description": "Related suspicious activity", "modified": "2023-09-08T00:02:16.727000", "created": "2023-08-09T21:37:47.344000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 20, "hostname": 11, "domain": 1, "URL": 20 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "954 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "641e0e41b1efe6e622d75902", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "email confirmation link sent for blockchain wallet on iphone", "modified": "2023-04-23T19:00:53.967000", "created": "2023-03-24T20:55:29.514000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "chromeua", "dropped file", "ansi", "optout", "license", "runtime data", "drmedgeua", "localappdata", "edgeua", "optin", "error", "span", "template", "unknown", "class", "window", "legend", "mexico", "hybrid", "suspicious", "general", "malicious", "close", "click", "date", "hosts", "express", "strings", "format", "qakbot" ], "references": [ "https://hybrid-analysis.com/sample/b324856ed3acdd48a6d7583e9ae0f36a110c28e6b1b185c231129dd4f88049af/640f60d8e122e6ac3a0f1d7e", "Full URL from email", "https://login.blockchain.com/?#%2Fverify-email%2FLIhC1RPA4qIlUzBPvep8xn5FkBPW4XQlsbo7MBIxQcqfNxPUykgf2GINwzEeUKYkJMV6FJbewOlqaND96%2BR7de%2Bja2BIbLW6E6ZF2zbr05wOyVqAHx7gtq6Y4bhqFinCB3PIOH%2BlVxnfVwrzIbISyMnp7mdw%2FQU5LKoGTTnPq4v1W1uPN7iQcBlIhnNQ6QwO%3Fcontext%3DSETTINGS'" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2201, "hostname": 933, "domain": 279, "FileHash-SHA256": 1027, "email": 2, "FileHash-MD5": 56, "FileHash-SHA1": 51 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1092 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "641e0e3da4fbafac633c0124", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "email confirmation link sent for blockchain wallet on iphone", "modified": "2023-04-23T19:00:53.967000", "created": "2023-03-24T20:55:25.579000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "chromeua", "dropped file", "ansi", "optout", "license", "runtime data", "drmedgeua", "localappdata", "edgeua", "optin", "error", "span", "template", "unknown", "class", "window", "legend", "mexico", "hybrid", "suspicious", "general", "malicious", "close", "click", "date", "hosts", "express", "strings", "format", "qakbot" ], "references": [ "https://hybrid-analysis.com/sample/b324856ed3acdd48a6d7583e9ae0f36a110c28e6b1b185c231129dd4f88049af/640f60d8e122e6ac3a0f1d7e", "Full URL from email", "https://login.blockchain.com/?#%2Fverify-email%2FLIhC1RPA4qIlUzBPvep8xn5FkBPW4XQlsbo7MBIxQcqfNxPUykgf2GINwzEeUKYkJMV6FJbewOlqaND96%2BR7de%2Bja2BIbLW6E6ZF2zbr05wOyVqAHx7gtq6Y4bhqFinCB3PIOH%2BlVxnfVwrzIbISyMnp7mdw%2FQU5LKoGTTnPq4v1W1uPN7iQcBlIhnNQ6QwO%3Fcontext%3DSETTINGS'" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2201, "hostname": 933, "domain": 279, "FileHash-SHA256": 1027, "email": 2, "FileHash-MD5": 56, "FileHash-SHA1": 51 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1092 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a8d3073664d04611694d87", "name": "WannaCry, Generic\tCVE-2017-0147 - ARIA - Accessibility css/js abuse", "description": "", "modified": "2023-01-24T22:00:30.143000", "created": "2022-12-25T22:47:35.011000", "tags": [ "https://realtimesupport.clients6.google.com/v2/customers/me/avai", "CVE-2017-0147" ], "references": [ "Tweeting at google - from 2019 - faked google support - Wanna Cry history ioc's \ud83d\udc81\u200d\u2640\ufe0f", "https://twitter.com/dorkingbeauty1/status/1133459934228688896?s=46&t=Dsw0haT2mH5vlsT7azlY9A", "https://realtimesupport.clients6.google.com/v2/customers/me/availabilities?alt=json&source=HELP_CENTER&client_version=1558512194746&key=AIzaSyB5V4SIBGmrqREm7kf2fBJgPcBMCdUrLzE" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Win32:Agent-AXUS\\ [Trj]", "display_name": "Win32:Agent-AXUS\\ [Trj]", "target": null }, { "id": "ALF:Backdoor:MSIL/Bladabindi", "display_name": "ALF:Backdoor:MSIL/Bladabindi", "target": null }, { "id": "WannaCry, Generic", "display_name": "WannaCry, Generic", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "hostname": 5, "FileHash-SHA256": 119, "domain": 1, "FileHash-MD5": 15, "FileHash-SHA1": 15 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6294d3c37b2f4fd77a5ca483", "name": "This is a whoopa - vast adware camp using tweets/links/img's but equates to spyware via regular default Services, configs and cloud host", "description": "Twitter's link shortner from original tweet\nhttps://t.co/1Snx7jYTvZ posted by itspmagazine How many #ransomware predictions by \n@cylanceinc's have/will come true? maybe this adware camp is utilising older podcasts and audio to exfil data. Its taken two days to do this pulse and its far from complete given the original had over 22k indicators", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T14:25:07.820000", "tags": [ "www.quantic-systems.com", "https://itspmagazine.com/from-the-newsroom/ransomware-prediction", "https://t.co/1Snx7jYTvZ" ], "references": [ "ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac 2.json", "https://www.virustotal.com/graph/ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac", "https://mobile.twitter.com/Quantic_Systems/with_replies", "https://mobile.twitter.com/ITSPmagazine/status/810428296995274752", "https://t.co/1Snx7jYTvZ", "How many #ransomware predictions by @cylanceinc 's", "https://docplayer.net/56678996-The-cyber-defense-review.html", "https://itspmagazine.com/from-the-newsroom/ransomware-predictions-past-present-future-future", "www.quantic-systems.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3239, "hostname": 1341, "URL": 8470, "domain": 1303, "CVE": 1, "FileHash-MD5": 893, "FileHash-SHA1": 795 }, "indicator_count": 16042, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "626c6f418117c4b20d0706e3", "name": "Infections start here 91.195.240.226-as47846- SEDO-DE - aid www.bbb.org", "description": "", "modified": "2022-05-29T00:01:17.829000", "created": "2022-04-29T23:05:37.269000", "tags": [ "91.195.240.226", "domain parks", "sedo", "chained malware", ".rel XML", "2013" ], "references": [ "https://hybrid-analysis.com/sample/bb17013c1d9f8e01d55b92a7cefaf20372d1c2a3483ed1d00cce091a2d30cea9/5f97708faf83fa51aa3b74de", "https://hybrid-analysis.com/sample/d6f4e7d29e7b460e67eb5eead3e07ace89682cb8f6c5c62172ec3f46b91f88c6/60e75be8ffad6735563f1a72" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1279, "FileHash-SHA256": 610, "domain": 172, "hostname": 375, "CVE": 1, "FileHash-MD5": 99, "FileHash-SHA1": 81, "email": 2 }, "indicator_count": 2619, "is_author": false, "is_subscribing": null, "subscriber_count": 397, "modified_text": "1421 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "623224f0534ee0708b12ebd6", "name": "mesacounty.us_05.21.2019", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T17:57:04.363000", "tags": [], "references": [ "mesacounty.us_05.21.2019.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 494, "domain": 65, "FileHash-SHA256": 706, "hostname": 165, "CIDR": 1, "FileHash-MD5": 6 }, "indicator_count": 1437, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6231e27f73bce35cac1ac401", "name": "crowdtangle.com 03.29.2017", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T13:13:35.659000", "tags": [ "WannaCry" ], "references": [ "crowdtangle.com 03.29.2017.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.WannaCry-9856297-0", "display_name": "Win.Ransomware.WannaCry-9856297-0", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 196, "URL": 613, "FileHash-SHA256": 989, "domain": 121, "CIDR": 6, "FileHash-MD5": 4 }, "indicator_count": 1929, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6228e985e01523dcc5f6090f", "name": "DominionVoting.com 03.09.22", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T17:53:09.239000", "tags": [ "whois record", "whois", "ssl certificate", "linkid182227", "linkid151642", "linkid151645" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2612, "hostname": 1339, "domain": 479, "FileHash-SHA256": 1478, "CVE": 1, "FileHash-SHA1": 22 }, "indicator_count": 5931, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1472 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "Tweeting at google - from 2019 - faked google support - Wanna Cry history ioc's \ud83d\udc81\u200d\u2640\ufe0f", "https://t.co/1Snx7jYTvZ", "crowdtangle.com 03.29.2017.pdf", "ns3.hallgrandsale.ru", "mesacounty.us_05.21.2019.pdf", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "How many #ransomware predictions by @cylanceinc 's", "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.myminiweb.com/", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61", "https://www.virustotal.com/graph/ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac", "Full URL from email", "https://hybrid-analysis.com/sample/bb17013c1d9f8e01d55b92a7cefaf20372d1c2a3483ed1d00cce091a2d30cea9/5f97708faf83fa51aa3b74de", "https://realtimesupport.clients6.google.com/v2/customers/me/availabilities?alt=json&source=HELP_CENTER&client_version=1558512194746&key=AIzaSyB5V4SIBGmrqREm7kf2fBJgPcBMCdUrLzE", "1.116.217.151 [Cobalt Strike]", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "http://alohatube.xyz/search/tsara-brashears", "https://tulach.cc/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://login.blockchain.com/?#%2Fverify-email%2FLIhC1RPA4qIlUzBPvep8xn5FkBPW4XQlsbo7MBIxQcqfNxPUykgf2GINwzEeUKYkJMV6FJbewOlqaND96%2BR7de%2Bja2BIbLW6E6ZF2zbr05wOyVqAHx7gtq6Y4bhqFinCB3PIOH%2BlVxnfVwrzIbISyMnp7mdw%2FQU5LKoGTTnPq4v1W1uPN7iQcBlIhnNQ6QwO%3Fcontext%3DSETTINGS'", "https://www.sweetheartvideo.com/tsara-brashears/", "https://mobile.twitter.com/ITSPmagazine/status/810428296995274752", "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://hybrid-analysis.com/sample/b324856ed3acdd48a6d7583e9ae0f36a110c28e6b1b185c231129dd4f88049af/640f60d8e122e6ac3a0f1d7e", "https://mobile.twitter.com/Quantic_Systems/with_replies", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "www.quantic-systems.com", "ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac 2.json", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "https://docplayer.net/56678996-The-cyber-defense-review.html", "https://twitter.com/dorkingbeauty1/status/1133459934228688896?s=46&t=Dsw0haT2mH5vlsT7azlY9A", "https://hybrid-analysis.com/sample/d6f4e7d29e7b460e67eb5eead3e07ace89682cb8f6c5c62172ec3f46b91f88c6/60e75be8ffad6735563f1a72", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033", "https://itspmagazine.com/from-the-newsroom/ransomware-predictions-past-present-future-future", "dvd-game-new-releases.info", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "vtbehaviour.commondatastorage.googleapis.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Freemake.a potentially unwanted", "Gen:variant.jacard", "Adware.browsefoxcrtd", "Trojan.otnr", "Agen.1144657", "Unsafe.ai_score_94%", "Trojan.cookiesstealer", "Vdehu.a", "Heur:trojan.diztakun", "Trojan.wisdomeyes.16070401.9500", "Blacknet rat", "Adware.oxypumper", "Trojan.linux.generic", "Gen:variant.symmi", "Wisecleaner.a potentially unwanted", "Application.bitcoinminer", "Malicious.f01f67", "Application.auslogics", "Generic.asmalws", "Riskware.crack", "Hacktool.crack", "Sabsik.fl.b", "Nemucod.21c8", "W32.hfsautob", "Downloader.generic", "Maltiverse", "Xtreme rat", "Doplik.j", "Hacktool.bruteforce", "Agent.cux.gen", "Trojandropper.autit", "Packed.dico", "Deepscan:generic.brresmon.1", "Worm.chir", "Quasar rat", "Trojan:win32/xtrat", "Unsafe.ai_score_95% 2", "Kryptik.dawvk", "Vm201.0.b70b.malware", "Program.freemake", "Et", "Cve exploits", "Hacktool.cheatengine", "Gen:variant.application.bundler", "Behaveslike.downloader", "Packed.themida", "Html:redirba", "Js:trojan.clicker", "Trojan.small", "Gen:variant.msilheracles", "Gen:variant.tedy hacktool.vulndriver", "Gen:nn.zemsilf.34170", "Sibot", "Goldfinder", "Mxresicn.heur", "Heur.bzc.yax.boxter.819", "Installcore.gen7", "Trojan.bayrob", "Trojware.js.adware.agent", "Trojan.msil", "Downldr.gen", "Trojan.bat.qhost", "Mimikatz", "Adware.kuzitui", "Cve-2014-3153", "Magazine phishing", "Infected.webpage", "Rce cve-2023-3519", "Ransom:win32/cve-2017-0147", "Downware", "Pe.heur", "Pup.systweak", "Zbot", "Heur:exploit.script", "Remote utilities", "Behaveslike.icloader", "Bscope.trojandownloader", "Win32:agent-axus\\ [trj]", "Qvm05.1.08e5.malware", "Trojan:pdf/owaphish.a", "Trojan.gandcrypt", "Application.deceptor", "Generic.application.js.sobrab.1", "Msil_bladabindi.g.gen", "Warezov.gen3", "Asparnet.p", "Phishing jpmorgan chase and co.", "Trojan.win32.pdf.alien", "Hw32.packed", "Hallrender", "Cobalt strike", "Agen.1045143", "Trojan.ransom.generickd", "Emotet", "Backdoor.androm", "Bscope.trojan", "Generic", "Hoax.deceptpcclean", "Trojan.khalesi 2\tadware 2", "Agent.ocj", "Downloader.opencandy", "Gen:heur.msil.inject", "Trojan.hotkeychick", "Absolute uninstaller", "Trojan.ransom.gandcrab", "Faceliker.d", "Dropper.wanna", "Nettool.remoteexec", "Html:script", "Content reputation", "Darkkomet.ife", "W32.malware", "Win.ransomware.wannacry-9856297-0", "Virus.sality", "Goldmax - s0588", "Generic.js.blackhole", "Heur:hoax.pcfixer", "Gen:variant.bulz", "Clicker.vb", "Gen:variant.application.bundler.downloadguide", "Redirector.an", "Pua.wombat", "Redline stealer", "Hallgrand", "Riskware.hacktool.agent", "Applicunwnt@#2n6\tirs", "Gen:nn.zemsilf.32515", "Ml.attribute", "Wannacry, generic", "Trojan.rozena", "Webtoolbar", "Worm.autorun", "Wacatac.b", "Gen:variant.ursu", "Exploit.zip.heuristic", "Suspici.1f4405d1", "Mimikatz - s0002", "Worm.boychi", "Troj_gen.f04ie00ci19", "Injector.cuam", "Kryptik.gkqr", "Alf:backdoor:msil/bladabindi", "Webtoolbar.asparnet", "Installcore.np", "Adware", "Gen:heur.msil.androm", "Bscope.adware.msil", "Tool.patcher", "Js:trojan.hidelink 2", "Tsgeneric", "Riskware.netfilter", "Agent.mu", "Vb:trojan.valyria", "Trojan.downloader", "W32.installcore.agx", "Backdoor.nhopro", "Tel:trojan:html/phishing", "Sigriskware.lespeedtechnologyltd", "Bscope.backdoor", "Driverreviver.a potentially unwanted", "Trojan.downloader33", "Azorult", "Bondat.a", "Trojanspy", "Scrinject.eric", "Gen:nn.zexaf.34090", "Trojan.clipbanker", "Dropper.gen", "Trojanbanker.banbra", "Backdoor.predator", "Adware.dealply", "Csqkhtaai", "Worm.allaple", "Trojan.brsecmon", "Adwaresig [adw]", "Googletoolbar", "Html:redirme", "Tulach", "Dropper.trojan.agent", "Trojan.js.iframe", "Backdoor.dtr.15", "Scrinject.b" ], "industries": [ "Food", "Government", "Health", "Technology", "Telecommunications" ], "unique_indicators": 112289 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudendpointsapis.com", "whois": "http://whois.domaintools.com/cloudendpointsapis.com", "domain": "cloudendpointsapis.com", "hostname": "20.apidocs.cloudendpointsapis.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 32, "pulses": [ { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665182d791bfc08412ec2c0a", "name": "Shadow Pad | Appears as investigation of an infirmed non criminal", "description": "ShadowPad is a modular backdoor attack platform that uses an ecosystem of plugins. It stealthily infiltrates target systems and provides attackers with capabilities to gather data execute commands, interacts with the file system and registry, and deploys new modules to extend functionality controlling the compromised systems remotely.\n\nElderly ill target cannot summon help.\n*Forced Updates for Google Chrome\n*Browser bar plug-in. \nRedirects calls to OOS phone message who;e call is still dialing\n*Emergency calls are always answered by 'police communication' at every given time of the day there are no police , ambulance, or any help available. They have already left for the day. \n*Nefarious user has on UTC time.\n Merits further investigation.", "modified": "2024-06-24T05:01:31.025000", "created": "2024-05-25T06:19:03.896000", "tags": [ "threat roundup", "historical ssl", "referrer", "socs", "water dybbuk", "a bec", "actor using", "service", "privateloader", "blacknet rat", "shadowpad", "algorithm", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "aaaa", "record type", "ttl value", "cname", "server", "domain status", "google llc", "registrar abuse", "registrar", "admin country", "ca creation", "dnssec", "subdomains", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "first", "name verdict", "falcon sandbox", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "sha1", "sha256", "severity", "ascii text", "hybrid", "local", "click", "strings", "contact", "isoscope", "malicious", "Trojan:PDF/Owaphish.A", "android", "cisco", "show", "create c", "related pulses", "copy", "search", "peter pdf", "modifydate", "hacker playbook", "practical guide", "write", "trojan", "format", "core", "united", "unknown", "passive dns", "scan endpoints", "all scoreblue", "urls", "files", "none related", "miles", "all search", "otx scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "abuse", "pentest", "127.0.0.1" ], "references": [ "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE CVE-2023-3519", "display_name": "RCE CVE-2023-3519", "target": null }, { "id": "Trojan:PDF/Owaphish.A", "display_name": "Trojan:PDF/Owaphish.A", "target": "/malware/Trojan:PDF/Owaphish.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 97, "FileHash-SHA1": 93, "FileHash-SHA256": 822, "domain": 166, "URL": 571, "hostname": 252, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 2012, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "767 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc13594cf21dbe00b94807", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-02-01T21:55:37.581000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "65b85faa9b8e3e1206d7f25c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e6e042a968005f7a5552", "name": "Content Reputation | ET | Botnet | Targeting", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-17T14:40:32.084000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659719b77c383c73c05208a9", "name": "Content Reputation | ET | Botnet | Targeting", "description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-04T20:48:55.431000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0730b6595444a3fdd98", "name": "High Priority \u2206 Virus:Win32/Neshta.A || Yara Detection MAL_Netsha_Mar20_1 , Delphi", "description": "", "modified": "2023-12-06T16:25:23.940000", "created": "2023-12-06T16:25:23.940000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 360, "FileHash-MD5": 441, "FileHash-SHA256": 1564, "domain": 89, "URL": 694, "FileHash-SHA1": 428, "SSLCertFingerprint": 5 }, "indicator_count": 3581, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://20.apidocs.cloudendpointsapis.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://20.apidocs.cloudendpointsapis.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776634570.865047 }