{ "type": "URL", "indicator": "https://20work.a-poster.info", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://20work.a-poster.info", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3820889362, "indicator": "https://20work.a-poster.info", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 33, "pulses": [ { "id": "69bea5d2987c3d14aeb2b0c9", "name": "Delete service Deleted over 1200 Brian Sabeys Porn Revenge Campaign \u2022 LevelBlue? Dopple AI | Poem Hunter: Poems ", "description": "", "modified": "2026-03-21T14:06:10.007000", "created": "2026-03-21T14:06:10.007000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": "691ead29f61101bfa3700998", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691ead29f61101bfa3700998", "name": "Dopple AI | Poem Hunter: Poems - Poets - Poetry", "description": "Online terms that sexulize SA victim : Tsara brashears slander red porn videos ,\nHardcore porn, is pornography that features detailed depictions of sexual organs or sexual acts such as vaginal, anal or oral intercourse, fingering, brashears , Red Porn Videos , Tsara brashears slandered red porn\nyoujizz sex\n, Tsara brashears submission on august 27 via manual free , College fuck fest Super japanese hd compilation , \none kinky student fucks tsara brashears porn xxx porn , the best internet porn site\n, tsara brashears slandered, porn video uploaded to hardcore ,\nxxxxxxxxxx sex videos\nsearch , xxxxxxxxxx hd porn. tsara brashears\u09ac\u09b2\u09a6\u09b6\u09b0 \u09a8\u09a4\u09a8 \u09ad\u09acfrench retro gangbang in the hotel room, You will Tsara brashears porn ,\nChunky babe loves to be on top Hot Milf , xxx Movies, updates hourly.\n tsara brashears slandered,\nfrench retro gangbang in the hotel room , free porn videos. You will Tsara brashears porn jeffrey reimer puts his love on top tsara brashears brother", "modified": "2025-12-20T03:00:41.407000", "created": "2025-11-20T05:54:49.968000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68be65e95645ef1a6c8a898d", "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products", "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.", "modified": "2025-10-08T04:04:41.943000", "created": "2025-09-08T05:13:13.781000", "tags": [ "mtb oct", "trojandropper", "avast avg", "backdoor", "trojan", "ubuntu", "passive dns", "federation flag", "asn as49505", "dns resolutions", "domains top", "level", "unique tlds", "dynamicloader", "high", "medium", "port", "delete c", "windows", "displayname", "tofsee", "grum", "stream", "powershell", "write", "malware", "hostile", "misa", "ipv4 add", "urls", "files", "learn", "ck id", "name tactics", "suspicious", "informative", "found", "command", "defense evasion", "adversaries", "spawns", "united", "orc5", "flag", "rhur3d", "title", "click", "strings", "refresh", "aids", "dzan", "sumo", "miny", "judi", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "show process", "hybrid", "general", "local", "path", "t1480 execution", "null", "span", "error", "tools", "look", "verify", "restart", "domain secure", "windows nt", "ogoogle trust", "zerossl ecc", "site ca0x1ex17r", "win64", "unknown", "encrypt", "search", "entries", "destination", "push", "next", "apple", "moved", "gmt content", "type", "content length", "ipv4", "date", "handle", "address range", "cidr", "network name", "allocation type", "assigned pi", "status", "whois server", "entity ipripe", "apnic", "url add", "http", "hostname", "files domain", "files related", "related tags", "ip address", "related nids", "files location", "flag united", "unknown ns", "name servers", "creation date", "emails", "pulse pulses", "pulses none", "none google", "safe browsing", "external", "location united", "asn as714", "less whois", "registrar", "ios", "iphone", "ipad", "australia", "dead host" ], "references": [ "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://176.113.115.136/ohhiiiii/", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "palantir-staging.staging.candidate.app.paulsjob.ai", "pornhub.com\t \u2022 www.pornhub.com", "appleaustralia.com", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1273, "FileHash-MD5": 347, "domain": 606, "hostname": 778, "FileHash-SHA256": 2724, "FileHash-SHA1": 322, "email": 9, "SSLCertFingerprint": 14, "CIDR": 3 }, "indicator_count": 6076, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f4c5545b3f6aa22cd15ac", "name": "www.anr.gov.pl", "description": "https://www.virustotal.com/gui/domain/www.anr.gov.pl/relations\nhttps://crt.sh/?q=mail1.anr.gov.pl", "modified": "2025-09-02T11:04:40.312000", "created": "2025-08-03T11:47:33.053000", "tags": [ "id03fam", "id48576" ], "references": [ "http://www.anr.gov.pl", "www.anr.gov.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 744, "URL": 1367, "domain": 144, "email": 1, "hostname": 373, "CVE": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687439c2109c2b61e7afc717", "name": "OTX.AlienVault (2024) in Ebury Botnet-19/5/2024", "description": "", "modified": "2025-07-13T22:57:06.213000", "created": "2025-07-13T22:57:06.213000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "666eeab2d7cd73b992756b36", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "280 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccbb1146fb07a45b6b97fe", "name": "Android Remotely Cracked: Swipper? | Being Sabey links found. Framing?", "description": "Targets phone and other devices cracked remotely. Phone calls made to a family member by phone. Some clues left behind.\n1 clue:mike@softwarezpro1.txt\nLong Link:http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States\u00aeion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Stop! Swipper, Brian Sabey, Tulach, whoever you are. Arrest Jeffrey Reimer Scott DPT for groping breasts, V, assaulting so hard it separated victims hips and SI joint, Spinal Cord Injury length of spine. He literally assaulted her brain out. TBI with Arnold's Chiari. Demyelination from brain to toes. He never denied this to Employers. Hi, DPD Major crimes God Bless you...about the report?", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-26T17:27:45.763000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1629, "FileHash-MD5": 4822, "URL": 2002, "email": 18, "hostname": 1725, "FileHash-SHA1": 3921, "FileHash-SHA256": 9019, "URI": 1 }, "indicator_count": 23137, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccc0e15d2c624ffa080a50", "name": "Botgor | See OG Link: https://otx.alienvault.com/pulse/66ccbb1146fb07a45b6b97fe", "description": "", "modified": "2024-09-25T15:03:34.890000", "created": "2024-08-26T17:52:33.104000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": "66ccbb1146fb07a45b6b97fe", "export_count": 4029, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1492, "FileHash-MD5": 4799, "URL": 1297, "email": 17, "hostname": 1487, "FileHash-SHA1": 3901, "FileHash-SHA256": 8846, "URI": 1 }, "indicator_count": 21840, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4885e735b9e8ba94805bc", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "", "modified": "2024-09-05T06:51:42.608000", "created": "2024-01-15T01:20:30.730000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a429795adf468b427a3c8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2469, "URL": 6038, "FileHash-MD5": 169, "FileHash-SHA1": 157, "FileHash-SHA256": 3922, "CIDR": 2, "hostname": 2787, "email": 2, "CVE": 1 }, "indicator_count": 15547, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666eeab2d7cd73b992756b36", "name": "OTX.AlienVault.com/LevelBlue in Ebury Botnet-19-5-2024.xlsx", "description": "Ebury Botnet-19-5-2024.xlsx. is affected by and impacting OTX.AlienVault.com-LevelBlue/Labs users. Based on limited information found online, Ebury is an OpenSSH backdoor and credential stealer. It is used to deploy additional malware. Based on online reports; in mid -May 2024 in was found that Ebury targeted/infected ISP's and up to 400,000 Linux, FreeBSD, and OpenBSD servers. Gains remote access, steals cryptocurrency wallets, credentials, and credit card details and much more I don't know about.", "modified": "2024-07-16T11:02:32.735000", "created": "2024-06-16T13:37:54.283000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eff46bdd371899ca5be7d7", "name": "CrypterX-gen | Video-lal.com | M. Brian Sabey \u2022 Hall Render | Rexxfield", "description": "Videolal results. Parked. Owner of domain has subsidiaries including Huge Domains. It's possible for attacker to post a 404 error page, park, post it for sale, malvertize. HoneyPotBot? \n\nFireeye. A bit much. william.ballenthin@fireeye.com\t\ncontain a resource (.rsrc) section moritz.raabe@fireeye.com. Overkill. What would Scooby Doo? Scooby!? \nTarget reports opening her MacBook Pro after it was replaced by Apple. It hadn't been in use. She opened it, surprised it was on, automatically connected to a store wifi (she was home) A worker was typing away in terminal. Fought hacker for recordings app containing Jeffrey Reimers aggressions. She lost. Terrified she murdered her MacBook by drowning & dismemberment. Big mistake. Cloned MacBook. Clicked on links trigger malicious downloads, network & DNS issues.", "modified": "2024-04-11T04:01:24.166000", "created": "2024-03-12T06:21:31.484000", "tags": [ "upatre malware", "rwi dtools", "page dow", "security", "bitfender", "yandex", "malware", "all octoseek", "av detections", "ids detections", "yara detections", "alerts", "file score", "fireeye", "injection", "worm", "trojan", "network", "poster", "honeybots", "united", "unknown", "win32upatre mar", "passive dns", "entries", "ipv4", "body", "artro", "generic malware", "formbook", "tag count", "threat report", "ip summary", "url summary", "generic", "hostnames", "pattern match", "ascii text", "png image", "root ca", "file", "authority", "indicator", "mitre att", "ck id", "class", "date", "enterprise", "hybrid", "accept", "general", "local", "click", "strings", "trident", "as47846", "germany unknown", "as2906 netflix", "scan endpoints", "domain", "urls", "files", "trojanspy", "mozilla", "dynamicloader", "medium", "title", "ms windows", "head", "intel", "inetsim http", "delete c", "show", "winnt", "copy", "powershell", "write", "next", "suspicious", "shop", "graph api", "status", "join", "vt community", "api key", "xcitium verdict", "cloud", "contacted", "contacted urls", "ssl certificate", "referrer", "historical ssl", "parent domain", "apple ios", "resolutions", "execution", "hacktool", "outbound connection", "detection list", "blacklist" ], "references": [ "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Win32.Renos/Artro", "display_name": "Win32.Renos/Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "I-Worm/Bagle.QE", "display_name": "I-Worm/Bagle.QE", "target": null }, { "id": "Worm.Bagle-44", "display_name": "Worm.Bagle-44", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "Win.Trojan.Generic-9897526-0", "display_name": "Win.Trojan.Generic-9897526-0", "target": null }, { "id": "Win.Trojan.Knigsfot-125", "display_name": "Win.Trojan.Knigsfot-125", "target": null }, { "id": "ALF:TrojanDownloader:Win32/Vadokrist.A", "display_name": "ALF:TrojanDownloader:Win32/Vadokrist.A", "target": null }, { "id": "Win.Trojan.Generic-9957168-0", "display_name": "Win.Trojan.Generic-9957168-0", "target": null }, { "id": "Win.Adware.RelevantKnowledge-9821121-0", "display_name": "Win.Adware.RelevantKnowledge-9821121-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "display_name": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1622, "FileHash-SHA1": 934, "FileHash-SHA256": 3289, "URL": 9605, "domain": 2321, "hostname": 2411, "CVE": 1, "email": 3 }, "indicator_count": 20186, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "738 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "753 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a39f005c7f0a1c1eb33125", "name": "Formbook", "description": "FormBook is a data stealer that is being distributed as a MaaS. FormBook is available in the dark web market as a Malware-as-Service.\n I n known situations targets were contacted by bad actors via social media accounts Twitter & Facebook.", "modified": "2024-03-21T10:00:24.070000", "created": "2024-01-14T08:44:48.297000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1708, "hostname": 1920, "domain": 2221, "URL": 4822, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10893, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac3ba9d7f42c0ed9c46d", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:27.967000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac46a01234da94a42565", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:38.290000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65caca061fbb7674de86ec7b", "name": "Invicta Stealer", "description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com", "modified": "2024-03-14T01:01:47.115000", "created": "2024-02-13T01:46:46.969000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "resolutions", "communicating", "whois whois", "subdomains", "referrer", "problems", "core", "startpage", "june", "passive dns", "urls", "domain", "otx telemetry", "body", "gmt content", "x adblock", "scan endpoints", "all octoseek", "hostname", "date", "encrypt", "threat roundup", "october", "november", "march", "february", "apple ios", "april", "tsara brashears", "copy", "hacktool", "phishing", "metro", "crypto", "installer", "awful", "united", "unknown", "germany unknown", "search", "servers", "registrar", "name servers", "status", "next", "moved", "address", "creation date", "showing", "ipv4", "pulse submit", "url analysis", "accept", "aaaa", "record type", "ttl value", "html document", "ascii text", "anchor hrefs", "hrefs", "anchor", "anchor href", "threat", "paste", "iocs", "analyze", "hostnames", "url https", "sample", "server", "code", "registry domain", "dnssec", "registrar url", "registrar whois", "iana id", "registrar abuse", "tech email", "fake update", "utilizes new", "idat loader", "stealc", "urls http", "isadultno", "adposbottom", "adformatplain", "adnetworks", "quasar rat", "ip detections", "country", "cellbrite", "execution", "pegasus", "malware", "agent tesla", "attack", "ukraine", "silent", "invicta stealer", "redline stealer", "orcus rat", "files", "germany asn", "as196763", "a domains", "redacted for", "record value", "for privacy", "emails", "name", "contacted urls", "bundled", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "pulse pulses", "location united", "open", "cookie", "customer", "0 report", "sea alt", "certificate", "#targeting", "#discordwallets", "house.mo.gov" ], "references": [ "https://www.facebooksunglassshop.com/", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "edgedl.me.gvt1.com", "Link found in https://house.mo.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Invicta Stealer", "display_name": "Invicta Stealer", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Orcus RAT", "display_name": "Orcus RAT", "target": null }, { "id": "Silent", "display_name": "Silent", "target": null } ], "attack_ids": [], "industries": [ "Government", "Civil Society", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 145, "FileHash-SHA256": 3848, "CVE": 3, "URL": 8291, "domain": 2541, "hostname": 3034, "email": 13 }, "indicator_count": 18028, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a59fe40c1e4412af5b5710", "name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University", "description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.", "modified": "2024-02-14T19:00:40.517000", "created": "2024-01-15T21:13:08.734000", "tags": [ "present jun", "scan endpoints", "all octoseek", "ipv4", "passive dns", "urls", "files", "reverse dns", "pittsburgh", "united", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "win32", "whois record", "ssl certificate", "threat roundup", "july", "communicating", "whois whois", "referrer", "contacted", "attack", "execution", "malware", "august", "copy", "april", "qakbot", "ursnif", "azorult", "hacktool", "metro", "banker", "keylogger", "malicious", "february", "mydoom-90", "worm", "cmu server", "caltech.edu", "gmail", "google attack", "google playstore", "chrome", "targeting", "carnegie mellon university", "algorithm", "v3 serial", "number", "issuer", "cus cnincommon", "rsa server", "ca lann", "stmi ouincommon", "validity", "key algorithm", "info", "first", "carnegie mellon", "server", "domain name", "domain record", "domain", "city", "orgid", "rtechhandle", "net128", "net1280000", "error", "dns replication", "date", "win32 exe", "winamp", "detections type", "name" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "128.2.42.10 'CMU' Carnegie Mellon University Server", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "CVE-2022-26134", "http://matfyz.cz/ | phishing", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "googlepassword.cmu.edu", "google.cmu.edu.", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 78, "FileHash-SHA256": 1270, "URL": 1188, "domain": 242, "hostname": 684, "CVE": 2, "CIDR": 1, "email": 2 }, "indicator_count": 3549, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a429795adf468b427a3c8b", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.", "modified": "2024-02-13T17:04:19.437000", "created": "2024-01-14T18:35:37.757000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2462, "URL": 5950, "FileHash-MD5": 168, "FileHash-SHA1": 156, "FileHash-SHA256": 3901, "CIDR": 2, "hostname": 2766, "email": 2, "CVE": 1 }, "indicator_count": 15408, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4880cf26f0feaf9a75648", "name": "Formbook", "description": "", "modified": "2024-02-13T08:03:20.064000", "created": "2024-01-15T01:19:08.041000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a39f005c7f0a1c1eb33125", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1650, "hostname": 1778, "domain": 2102, "URL": 4435, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10187, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "796 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659cb577ce7e1a4009a6be2f", "name": "Worm:Win32/Benjamin | Miles IT| Emotet | M. Brian Sabey | Striven.com", "description": "Continuously attacking, remote attacks, social engineering via adware, phone contact, email, malware filled , unsolicited videos. Remotely control devices. Relentlessly hacking everything. They go by many names. These are Americans, they tend to direct some of their activities to Chinese servers to avoid detection. Obnoxious. Revenge child to adult content. Malvertizing. If hacking is illegal it doesn't seem worthwhile to stop. No one stops these people even if known to authorities. The also self whitelist.", "modified": "2024-02-08T02:00:24.265000", "created": "2024-01-09T02:54:47.653000", "tags": [ "ssl certificate", "contacted", "historical ssl", "whois record", "whois whois", "lemon duck", "highly targeted", "subdomains", "resolutions", "driver support", "metro", "core", "ransomexx", "quasar", "colibri loader", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "korplug", "agent tesla", "attack", "project", "tsara brashears", "hackers", "critical risk", "installer", "formbook", "mitre attack", "dynamicloader", "high", "yara rule", "ids detections", "yara detections", "cape", "adware malware", "suricata", "etpro malware", "et malware", "guard", "june", "copy", "delphi", "win32", "et", "united", "asnone united", "status", "name servers", "cname", "creation date", "search", "showing", "entries", "passive dns", "date", "urls", "expiration date", "copy c", "pe32", "intel", "ms windows", "write c", "nids", "checkin", "packing t1045", "t1045", "worm", "malware", "code", "write", "date hash", "avast avg", "mtb dec", "pe32 executable", "show", "recon", "benjamin" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 741, "FileHash-SHA1": 655, "FileHash-SHA256": 2432, "URL": 2392, "CVE": 3, "domain": 645, "hostname": 803, "email": 3 }, "indicator_count": 7674, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "801 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659ca1cc8d432e6dff4ad5ed", "name": "STRIVEN.COM | Remote videos to my device | Disabled WiFi & Bluetooth | Malicious", "description": "", "modified": "2024-02-08T01:03:54.993000", "created": "2024-01-09T01:30:52.562000", "tags": [ "as21690", "united", "unknown", "search", "entries", "creation date", "scan endpoints", "all search", "otx octoseek", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d65255c80d866add600bac", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1467, "hostname": 2306, "email": 1, "URL": 7023, "FileHash-MD5": 120, "FileHash-SHA1": 120, "FileHash-SHA256": 3205, "CVE": 13 }, "indicator_count": 14255, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "801 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64d65255c80d866add600bac", "name": "STRIVEN.COM", "description": "Miles IT escalated target to a bad actors using striven.com, a malicious proxy. It's reminiscent of /related to an alleged Australian hacker;, Handle: Michael Roberts who owned 2 companies (Rexxfield and Mile2) Makes claims of catching killers, etc. Known online on infected devices for malicious code injection and a corny , nonsensical feud with a 'Darren Meade' .\nTarget has been linked to Michael Roberts and Tracey Richter for years. 'Roberts' is Used by defense attorneys to silence victims. Believed to be a fake identity for. Red Team CSDF. (Included upon submission. I didn't write this : A search for GoDaddy.com has been conducted by a team of experts at the University of California, Los Angeles, and the US National Security Agency (NSA) in a series of tests.)", "modified": "2024-02-08T00:01:41.906000", "created": "2023-08-11T15:23:01.014000", "tags": [ "as21690", "united", "unknown", "search", "entries", "creation date", "scan endpoints", "all search", "otx octoseek", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1465, "hostname": 2268, "email": 1, "URL": 6929, "FileHash-MD5": 120, "FileHash-SHA1": 120, "FileHash-SHA256": 3185, "CVE": 13 }, "indicator_count": 14101, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "801 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://timersys.com/ [ phishing | deb opera.com]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net", "www.anr.gov.pl", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "edgedl.me.gvt1.com", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "FormBook", "http://matfyz.cz/ | phishing", "beacons.bcp.gvt.com", "128.2.42.10 'CMU' Carnegie Mellon University Server", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "cpcontacts.webcamara.online", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "https://www.pornhub.com/video/search?search=tsara+brashears", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "https://gronthoghor.com/xoe/qbot.zip \u2022", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "free NSFW experience offered by Dopple AI.MALWARE", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "palantir-staging.staging.candidate.app.paulsjob.ai", "https://twitter.com/PORNO_SEXYBABES", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "appleremote.net", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "I really have no idea what's going on or how safe this platform is.", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "api.telegram.org", "http://ti.hicloudcam.com", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "https://176.113.115.136/ohhiiiii/", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "enterprise.cellebrite.com [ digitalclues.com]", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "Worm:Win32/Benjamin", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "Link found in https://house.mo.com", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "http://alohatube.xyz/search/tsara-brashears", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "applemusic-spotlight.myunidays.com", "wallpapers-nature.com", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "nr-data.net", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "1.download.windowsupdate.com [HiddenTear]", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "a-fondness-for-beauty.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "sabey.com", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anr.gov.pl", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "caltech.edu | Carnegie Mellon University", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "https://thebrotherssabey.wordpress.com/", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "https://www.facebooksunglassshop.com/", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "acam-mdn.apple.com", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "pornhub.com\t \u2022 www.pornhub.com", "RASMONTR.DLL 192.168.56.101", "training001.blackbagtech.com [opportunity?]", "message.htm.com [ message stealer]", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "CVE-2022-26134", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "114.114.114.114", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php", "google.cmu.edu.", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "www.studentaffairs.cmu.edu", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "appleaustralia.com", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "POD 18447 for Cox.xls", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "https://tulach.cc/ [malware engineering | phishing]", "work.a-poster.info", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "alohatube.xyz", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "deviceinbox.com [malware hosting]", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "blackhat.store", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "www-stage40.pornhub.com", "googlepassword.cmu.edu", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "https://search.app.goo.gl/?ofl", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "https://www.nsogroup.com", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "go.sabey.com", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "https://tulach.cc/", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "hanmail.net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group" ], "malware_families": [ "Win.trojan.generic-9957168-0", "Hacktool", "Silent", "Win32:renos-ck", "Trojanspy:win32/nivdort.di", "Invicta stealer", "Silk", "Tofsee", "Win32:genmalicious-kag\\ [trj]", "Win32:crypterx-gen\\ [trj]", "Zbot", "Trojan:win32/muldrop", "Eternalblue", "Trojan:win32/salgorea", "Worm:win32/fasong", "Other:malware-gen\\ [trj]", "Qbot", "Win32:dh-a\\ [heur]", "Tulach", "Win32/tasekjom.a", "Worm:win32/mofksys", "Win.trojan.knigsfot-125", "Trojan:win32/antavmu.d", "Win.downloader.32972-1", "Trojan:win32/blihan", "Redline stealer", "Pws:win32/vb", "Formbook", "Win32.renos/artro", "Muldrop", "Win.trojan.generic-9897526-0", "Delphi", "Worm:win32/benjamin", "Trojanspy", "Trojan:win32/glupteba", "Alf:trojandownloader:win32/vadokrist.a", "Pws:win32/raven", "Y.a.s:1byte/tinyrod", "Trojan:win32/zbot.sibb3!mtb", "Emotet", "Hiddentear", "Pegasus", "Amadey", "Dopple ai", "Mitre attack", "Trojan:win32/qqpass", "Win.adware.relevantknowledge-9821121-0", "Win.trojan.agent-1286703", "Generic", "Virtool:win32/tofsee", "Tel:trojan:win32/trojandownloader", "Apnic", "#lowfi:siga:trojanspy:msil/keylogger", "Kimsuky", "Win.packer.pkr_ce1a-9980177-0", "Elf:hajime-q\\ [trj]", "Worm.bagle-44", "Trojan:win32/dorkbot.du", "Win32/trojandropper", "Trojanspy:win32/nivdort.de", "Rasmontr.dll", "Alf:heraklezeval:trojan:win32/neurevt", "Alf:trojan:win32/cassini_f28c33a2", "Artro", "Et", "Win32:malware-gen", "Snit", "Quasar rat", "Trojan:win32/cryptinject", "I-worm/bagle.qe", "Orcus rat", "#lowficreateremotethread", "Backdoor:win32/tofsee", "Trojan:win32/emotet.pc!mtb", "Backdoor:win32/botgor", "Backdoor:win32/mydoom", "Trojan:win32/delflob.a.dll", "Sabey", "Exodus", "Win32:delf-iwg\\ [trj]" ], "industries": [ "Technology", "Civilian devices", "Telecommunications", "Healthcare", "Government", "Civil society" ], "unique_indicators": 178179 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/a-poster.info", "whois": "http://whois.domaintools.com/a-poster.info", "domain": "a-poster.info", "hostname": "20work.a-poster.info" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 33, "pulses": [ { "id": "69bea5d2987c3d14aeb2b0c9", "name": "Delete service Deleted over 1200 Brian Sabeys Porn Revenge Campaign \u2022 LevelBlue? Dopple AI | Poem Hunter: Poems ", "description": "", "modified": "2026-03-21T14:06:10.007000", "created": "2026-03-21T14:06:10.007000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": "691ead29f61101bfa3700998", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b76c9a490b69b6a085b3", "name": "Exodus/cellbrite clone by Q Vashti", "description": "", "modified": "2026-03-12T12:54:04.160000", "created": "2026-03-12T12:54:04.160000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "6916e098df39114161354b23", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691ead29f61101bfa3700998", "name": "Dopple AI | Poem Hunter: Poems - Poets - Poetry", "description": "Online terms that sexulize SA victim : Tsara brashears slander red porn videos ,\nHardcore porn, is pornography that features detailed depictions of sexual organs or sexual acts such as vaginal, anal or oral intercourse, fingering, brashears , Red Porn Videos , Tsara brashears slandered red porn\nyoujizz sex\n, Tsara brashears submission on august 27 via manual free , College fuck fest Super japanese hd compilation , \none kinky student fucks tsara brashears porn xxx porn , the best internet porn site\n, tsara brashears slandered, porn video uploaded to hardcore ,\nxxxxxxxxxx sex videos\nsearch , xxxxxxxxxx hd porn. tsara brashears\u09ac\u09b2\u09a6\u09b6\u09b0 \u09a8\u09a4\u09a8 \u09ad\u09acfrench retro gangbang in the hotel room, You will Tsara brashears porn ,\nChunky babe loves to be on top Hot Milf , xxx Movies, updates hourly.\n tsara brashears slandered,\nfrench retro gangbang in the hotel room , free porn videos. You will Tsara brashears porn jeffrey reimer puts his love on top tsara brashears brother", "modified": "2025-12-20T03:00:41.407000", "created": "2025-11-20T05:54:49.968000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916e098df39114161354b23", "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ", "description": "", "modified": "2025-12-14T07:05:42.106000", "created": "2025-11-14T07:56:08.872000", "tags": [ "ssl certificate", "network", "malware", "whois record", "contacted", "pegasus", "resolutions", "communicating", "sa victim", "assaulter", "quasar", "brian sabey", "go.sabey", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "samples", "united", "aaaa", "status", "susp", "search", "passive dns", "urls", "domain", "creation date", "date", "next", "show", "domain related", "feeds ioc", "maltiverse", "analyze", "scan endpoints", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "china unknown", "as4134 chinanet", "unknown", "name servers", "showing", "namesilo", "domain name", "dynadot llc", "as8075", "script urls", "netherlands", "a domains", "capture", "asnone united", "record value", "expiration date", "entries", "cname", "tulach", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "available from", "iana id", "registrar abuse", "registrar url", "registrar whois", "abuse contact", "email", "registry domain", "code", "win32 exe", "ufed iphone", "cellebrite ufed", "setup", "tjprojmain", "ufed4pc", "win32 dll", "detections type", "name", "responder", "exodus", "android", "office open", "xml document", "cellebrite", "type name", "pdf cellebrite", "ufed release", "cellbrite", "privilege https", "targets sa", "survivor", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "file", "pattern match", "observed email", "path", "factory", "hybrid", "general", "model", "comspec", "click", "title", "page", "body doctype", "quoth", "raven", "gmt content", "type", "vary", "accept", "october", "december", "copy", "execution", "awful", "referrer", "april", "kimsuky", "malicious", "crypto", "startpage", "hacktool", "installer", "tofsee", "historical ssl", "threat roundup", "phishing", "utc submissions", "submitters", "csc corporate", "domains", "twitter", "dropbox", "incapsula", "summary iocs", "graph community", "registrarsafe", "gandi sas", "google llc", "amazon02", "google", "akamaias", "facebook", "service", "patch", "namecheapnet", "cloudflarenet", "amazonaes", "gmo internet", "apple", "tsara brashears", "keylogger" ], "references": [ "https://tulach.cc/", "cellebrite.com | https://cellebrite.com/en/federal-government/", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://twitter.com/PORNO_SEXYBABES", "hanmail.net", "114.114.114.114", "work.a-poster.info", "www-stage40.pornhub.com", "go.sabey.com", "sabey.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "PWS:Win32/Raven", "display_name": "PWS:Win32/Raven", "target": "/malware/PWS:Win32/Raven" }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "VirTool:Win32/Tofsee", "display_name": "VirTool:Win32/Tofsee", "target": "/malware/VirTool:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": "65a76c2901b34c79a681596d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4295, "FileHash-MD5": 322, "FileHash-SHA1": 296, "FileHash-SHA256": 3255, "domain": 2911, "hostname": 2894, "CVE": 2, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 13986, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68be65e95645ef1a6c8a898d", "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products", "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.", "modified": "2025-10-08T04:04:41.943000", "created": "2025-09-08T05:13:13.781000", "tags": [ "mtb oct", "trojandropper", "avast avg", "backdoor", "trojan", "ubuntu", "passive dns", "federation flag", "asn as49505", "dns resolutions", "domains top", "level", "unique tlds", "dynamicloader", "high", "medium", "port", "delete c", "windows", "displayname", "tofsee", "grum", "stream", "powershell", "write", "malware", "hostile", "misa", "ipv4 add", "urls", "files", "learn", "ck id", "name tactics", "suspicious", "informative", "found", "command", "defense evasion", "adversaries", "spawns", "united", "orc5", "flag", "rhur3d", "title", "click", "strings", "refresh", "aids", "dzan", "sumo", "miny", "judi", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "show process", "hybrid", "general", "local", "path", "t1480 execution", "null", "span", "error", "tools", "look", "verify", "restart", "domain secure", "windows nt", "ogoogle trust", "zerossl ecc", "site ca0x1ex17r", "win64", "unknown", "encrypt", "search", "entries", "destination", "push", "next", "apple", "moved", "gmt content", "type", "content length", "ipv4", "date", "handle", "address range", "cidr", "network name", "allocation type", "assigned pi", "status", "whois server", "entity ipripe", "apnic", "url add", "http", "hostname", "files domain", "files related", "related tags", "ip address", "related nids", "files location", "flag united", "unknown ns", "name servers", "creation date", "emails", "pulse pulses", "pulses none", "none google", "safe browsing", "external", "location united", "asn as714", "less whois", "registrar", "ios", "iphone", "ipad", "australia", "dead host" ], "references": [ "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://176.113.115.136/ohhiiiii/", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "palantir-staging.staging.candidate.app.paulsjob.ai", "pornhub.com\t \u2022 www.pornhub.com", "appleaustralia.com", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1273, "FileHash-MD5": 347, "domain": 606, "hostname": 778, "FileHash-SHA256": 2724, "FileHash-SHA1": 322, "email": 9, "SSLCertFingerprint": 14, "CIDR": 3 }, "indicator_count": 6076, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f4c5545b3f6aa22cd15ac", "name": "www.anr.gov.pl", "description": "https://www.virustotal.com/gui/domain/www.anr.gov.pl/relations\nhttps://crt.sh/?q=mail1.anr.gov.pl", "modified": "2025-09-02T11:04:40.312000", "created": "2025-08-03T11:47:33.053000", "tags": [ "id03fam", "id48576" ], "references": [ "http://www.anr.gov.pl", "www.anr.gov.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 744, "URL": 1367, "domain": 144, "email": 1, "hostname": 373, "CVE": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687439c2109c2b61e7afc717", "name": "OTX.AlienVault (2024) in Ebury Botnet-19/5/2024", "description": "", "modified": "2025-07-13T22:57:06.213000", "created": "2025-07-13T22:57:06.213000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "666eeab2d7cd73b992756b36", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "280 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccbb1146fb07a45b6b97fe", "name": "Android Remotely Cracked: Swipper? | Being Sabey links found. Framing?", "description": "Targets phone and other devices cracked remotely. Phone calls made to a family member by phone. Some clues left behind.\n1 clue:mike@softwarezpro1.txt\nLong Link:http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States\u00aeion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Stop! Swipper, Brian Sabey, Tulach, whoever you are. Arrest Jeffrey Reimer Scott DPT for groping breasts, V, assaulting so hard it separated victims hips and SI joint, Spinal Cord Injury length of spine. He literally assaulted her brain out. TBI with Arnold's Chiari. Demyelination from brain to toes. He never denied this to Employers. Hi, DPD Major crimes God Bless you...about the report?", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-26T17:27:45.763000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1629, "FileHash-MD5": 4822, "URL": 2002, "email": 18, "hostname": 1725, "FileHash-SHA1": 3921, "FileHash-SHA256": 9019, "URI": 1 }, "indicator_count": 23137, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccc0e15d2c624ffa080a50", "name": "Botgor | See OG Link: https://otx.alienvault.com/pulse/66ccbb1146fb07a45b6b97fe", "description": "", "modified": "2024-09-25T15:03:34.890000", "created": "2024-08-26T17:52:33.104000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": "66ccbb1146fb07a45b6b97fe", "export_count": 4029, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1492, "FileHash-MD5": 4799, "URL": 1297, "email": 17, "hostname": 1487, "FileHash-SHA1": 3901, "FileHash-SHA256": 8846, "URI": 1 }, "indicator_count": 21840, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://20work.a-poster.info", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://20work.a-poster.info", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641964.776985 }